@CatSpecial202 said in Interface Groups and dns redirect:

What makes individual rules per interface easier to troubleshoot?

because your looking in 1 place for all the rules that could effect traffic coming into this interface, vs looking at groups, is this interface in that group? Is the group rule correct for the source IP into specific interface? etc..

But hey you do you.. Doing this since there were firewall, before actually - when they were just packet filters.. And seeing all the rules in one place in the specific order they are applied is easier ;)

@michmoor said in *Allow* IOS Facetime/iMessage Home Network:

Why would anyone need to create firewall rules for IoT device(s) ?

If you need to ask...

@johnpoz said in Firewall rules for Guests network on IPv6?:

You want a simple solution - don't give your guests an IPv6 address ;)

For a simple solution, look at my post of my guest WiFi rules.

@CatSpecial202 No. If you do not have any rules then everything is denied by default. Once you start adding rules then the top rule is parsed first.

block
block
block
then "allow all" that does not violate the block rule(s) above it.

Anything not expressly stated by the rules above then hit the default deny rule.

@Wylbur

Sorry I replied to the wrong person. But I think you were also having a similar problem.

@dark-baritone said in Alias Entries Are Not Being Added To The Tables (Even Hardcoded IPs):

I searched and it looks like it's already being tracked: https://redmine.pfsense.org/issues/15708

Ha! That's probably where I ran across the mention of a FreeBSD limit 🙂. I didn't recall where I had seen that, but it probably was that Redmine ticket.

Getting old and so easily forgetting stuff is such a pain in the rear -- 😭

@Zululander said in Can't block IPs - must be missing something:

Reading online I could apparently achieve same subnet blocking if I used pFsense in Bridge mode but VLANning seems to make more sense to me.

Generally the use of bridges should be avoided if at all possible. They can introduce other weird issues besides being a bit of a CPU burden in high traffic conditions. A dedicated Ethernet switch can do the job much better. Use VLANs or some other dedicated interface port on the firewall if you want to segregate traffic.

@jimp

Hi Jimp, I didn't post previous screen for security reasons, entries were present ;)
In any case, I tried your command for multiple grep matches and it works!
Thank you a lot!
Have a nice day.
Giuseppe

78ba2865-93fc-4e26-9605-e8e244f76a15-image.png

@mrfibreoptic I am sorry for replying to a quite old thread, not even sure how I got here. But I am a "historian" and can demystify ancient fables. (if you read cursive, the national archives has a job for you). I'd like to provide at least 1 solution that will solve this for people, so the thread is not a dead end.

This is a common situation that companies run into. They create a local domain called "AnyRandomCompany.com" and join all of their local computers to that domain and then later purchase the public domain which has the same name for their customers/public to access their web site.

Alot of times, the routing will work where they can access the External IP address that the public DNS records are pointing to, but in many other cases (depending on the router/firewall) they cannot.

If you find yourself in this situation, the best solution is to run your own Internal DNS server or forwarder.

A dedicated DNS server (such as PiHole) can have Static DNS entries created that will resolve BEFORE asking the public DNS servers. You can create the Internal DNS A record using the Internal (rather than the External/NAT) IP address.

Many Routers (some people call them Access Points/Modems) also have this capability. Some will call it DNS Forwarder others DNS Records. Some may even call them "Forward lookup zones". The key is to create a local DNS record that your internal hosts can resolve locally while the public DNS records are stored on public DNS servers.

If you only have a single computer or two on your network that need to use the private IP address (not the public one) then you can also modify your hosts file and add an entry for "123.123.123.123 AnyRandomCompany.com"

Hope this helps a few people in the future.

Could it be set flags SYN ACK ? and or state type keep or sloppy ?

@sfsdfsdfsdf said in Allow Connections to Linux Update Servers:

Is there a way to allow a Domain in PfSense ?

you can create an alias with the fqdn you want to allow, those are updated like every 5 minutes.. You can run into a problem sometimes when/if the clients and this list are not in sync and client tries to talk to a different iP then what is in the alias - more likely if the client doesn't use pfsense as its dns, etc.

But normally that should work.

While the IPs might change around a bit, ie round robin sort of thing.. They most likely don't really change and you could point to just 1 or a few of those IPs.. You could create your host override records in pfsense for specific fqdn you use to get your updates, so clients would always go to one of those IPs and you can allow those.

@Gertjan @johnpoz

Greetings,

I appreciate both of you! My FQDN wasn't matching, that's all. I briefly got a DNS rebind error, but added the domain to the Alternate Hostnames list. So far, everything is working! Thanks so much!

@Gertjan thanks for the reply!

Solved! I had missed the "allow IP" function for IPV4 traffic as well as the standalone IGMP rule. As soon as i enabled that it worked straight away!

@mvhcr its not a bad little switch for price and size.. But after playing with it couple years back I think I couldn't find a use in my network. So just threw it on the shelf and figured hey never know when a poe powered capable with vlan support switch might come in handy ;)

Then awhile back I noticed in my sg300-10 logs an interface bouncing on reg basis, it was only for a couple of seconds.. And I wasn't really noticing any issues with viewing my camera feeds directly, etc.

But then dawned on me - hey that nvr is prob doing something trying to get poe working because it really expects a poe camera to be on the port.. So I put the little mini between with it being powered by the nvr and all the resets on the interface went away on my sg300 and now sending 1000s of pings never lost one, before I was loosing a couple of pings every minute or 2, etc.

But yeah unifi has changed some things over the last couple of years on how you do a "trunk" port.. Not really a fan of how they do switching.. Which was another reason I really didn't feel a need to incorporate that flex mini into my network.

And you can't really do just specific vlans - its all or nothing. I believe on some of their higher end switches you can customize what vlans are allowed over the trunk - see that custom in my above pic - which is greyed out on the mini.

I might try and leave the mini in my controller - but have to figure out how to get it to get an IP from the vlan my controller is on vs the nvr dhcp server.. Curious if I set it to static if that will survive a power cycle - then I could remove the usb power and just leave it poe powered ;)

@securvark said in Fields for IPv6 logging entries:

IPv6 ICMP
regular expression: ^filterlog:\s+.,(in|out),6,.,ICMPv6,.*$

RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,Protocol,ProtocolID,Length,SourceIP,DestIP,UnknownFld

Sorry for replying to an old thread - but I found this useful just now when setting up my Graylog extractors.

I did spot an error - pointing it out in case someone else comes across this post in the future.

IPv6 ICMP should be:

RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,Class,FlowLabel,HopLimit,Protocol,ProtocolID,Length,SourceIP,DestIP,UnknownFld

Here is an example log entry from a ping6 through the firewall (with the IPv6 addresses obfuscated for my privacy):

197,,,1657748622,igb1,match,pass,in,6,0x00,0x50900,55,ICMPv6,58,64,ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff,eeee:eeee:eeee:eeee:eeee:eeee:eeee:eeee,

@johnpoz super!
you helped my a lot.I will have a look to pfblocker and I check the alias again.

Thanks for help!
Stefan