@eeebbune I personally do not use floating rules as the general advice is to use more explicit rules on individual interfaces. However, based on my reading of this (link) [image: 1647012886249-16b9e453-a433-4f48-8c0b-ea980155f54c-image.png] I think that what you have here might be incorrect: [image: 1647013219965-8e48d488-527c-4d53-bf3f-92c4fd216700-image.png] I think the correct order is: Floating Rules (Quick) Floating Rules (Non-Quick, Last Match) Interface Group Rules Interface Rules More info on the rules processing order can be found here : https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html#rule-processing-order If I am correct, then it would appear to me that what might be happening is that in the "any" direction all traffic is being blocked by your rule and the traffic never makes it to the interfaces. Bear in mind that I have minimal experience with floating rules and would certainly defer to others that have more experience with them.

@tchingwe said in Whatsapp Voice Calls Not working after upgrading to version 2.60: Hi Gertjan, it makes sense, let me try that, thanks Or Suricata, as you said you were using that. Both Snort and Suricata use the same built-in snort2c pf table when blocking using the Legacy Blocking Mode option. Also be aware that simply stopping the Suricata or Snort service will NOT remove any existing blocks when using Legacy Mode. Legacy Mode blocking works by telling the pfSense firewall to place the IP address from the alerts into the built-in snort2c table in the firewall. Once an IP is in that table, the IP will be continually blocked until removed from the table. You can remove IPs from the table manually (by clearing blocks on the BLOCKS tab), by using the option under DIAGNOSTICS > TABLES in the pfSense menu, by rebooting the firewall (which clears the table because it is a RAM construct), or by enabling the option on the GLOBAL SETTINGS tab to remove blocked hosts on some periodic interval. That latter method is what I recommend. Set that value on the GLOBAL SETTINGS tab to 15 or 30 minutes (or maybe an hour if you are paranoid).

@encrypt1d said in Latency spikes every 15 minutes after upgrade to 2.6.0 CE: Is this a known issue Install the new System Patches package and the "recommended" patch: Disable pf counter data preservation to temporarily work around latency when reloading large rulesets (Redmine #12827)

To answer my own question: "Allow users on interface" in the "General" tab of squid is checked by default. If you remove that setting, you have to create rules to allow users to access the proxy server. I should have paid closer attention to the settings.

@gertjan said in Block Everything, except NTP: @gregoinc said in Block Everything, except NTP: The block from the internet works, but I cannot get the allow NTP to work? You could block all 'Internet' access, NTP included. Fire up the NTP server on pfSense. Check if it works. Add a firewall rule that permits traffic from any device to pfSense (destination Firewall itself), protocol UDP, destination part 123. Tell the DHCP server that it should give NTP IP when it deals out a lease : [image: 1646664733269-5ef30045-500d-4953-9745-19cbbdb92878-image.png] Where 192.168.1.1 is the IP LAN of pfSense. Now your LAN devices will use (should use) pfSEnse as a time source. Hello Gertjan, I tried your suggestion and it works like a charm. Appreciate all the feedback on this topic, was great to see all the information sharing. Thanks, Mark

@viragomann so this is working now but I am not entirely sure how . I kind of stumbled on the "fix". I have a Google nest for home wifi with multiple ap's around the house. This nest router has its own DHCP service on the 192.168.86.0/24 network. Anyway if I put my test device on this network everything works as expected with pfsense. I don't know is it because it is a different network to the wan interface of the pfsense.

@johnpoz second this. Best method to do blocking of this nature, you don't have to fiddle around worrying about keeping it up to date either as PfBlocker will check those lists for you. Get pfblocker, sign up to MaxMind and away you go. Automated and dynamic, exactly how networking should be!

@kkit Not sure if you've figured this or not yet, but do you have any info on how your 'Guest' network is configured? Is this a guest wireless network which is in captive portal mode? If so, that will initially intercept the traffic and fire you to the portal page you've setup in pfsense to authenticate your session, you won't have any access until you've authenticated your session. Just missing the info on how the guest network is setup to know for sure what the problem is.

@michmoor Lightsquid creates reports based on web usage from squid's logs.

Can also be done directly from the IPv4 tab: [image: 1646066907486-7e63ef0d-4364-4372-8548-8d7df8cd7da5-image.png] or GeoIP/Asia.

@johnpoz ok. I will try to find a way to bridge it. I want to have pfsense in front of my network. As you said in another post. I think that this is the right way. Thank you very much!

@menethoran Check the below information for reference. 1.PfblockerNG-Devel version is installed 2.Your DNS on LAN is your local firewall DNS not Public DNS 3.Do not forward upstream DNS to public or ISP DNS on General Setting 127.0.0.1 is default and fallback to remote DNS. 4.For Ads use DNSBL UT1 and Shallalist for enable ADs feed. 5.Python mode must be set for great results.

@johnpoz said in No access to SQLServer and MS Shared Folder: When you changed the gateway of your PC - ie exchanged your ipfire for pfsense, its quite possible it changed to public policy vs private policy.. Even if the IP of the address of the gateway was the same, the mac address would of changed - and this could trigger the PC firewall to flip its policy.. Yours is an interesting opinion to be held in high regard in the future. Thank you.

@madmaxpr You'd have to check addresses or ports. No idea about that though.

Yep.. I was wrong above. https://docs.netgate.com/pfsense/en/latest/firewall/configure.html Look under "Destinations"..