I wonder if this is related to the Google analytics. [image: 1743913405117-img_2015.jpeg]

@houseofdreams said in using !rfc1918 won't work?: But as I said, I allready got the idea that this isn't going to be possible without major changes, or am I wrong? You are right this time. If you want to separate all servers from each other, every server needs its own (V)LAN. I do this too.

@houseofdreams as mentioned pfsense is not involved in communications between devices on the same network. Put them in different vlans, or you would have to do something on your esxi to keep them from talking.. I think vmware NSX can do what you would call a private vlan or micro-segmentation.. And keep them from talking. But there is nothing pfsense can do, unless the traffic goes across pfsense interfaces.

@patient0 So the only server that is not on VLAN 10 is my host which is EDITH, but in this scenario all VMs are on VLAN 10. The only thing that doesn't seem to work is connecting from VLAN 10 VM to a docker container port on the host.

@JonathanLee @w0w thanks I'll give this a try

@johnpoz I saw it wouldn’t let me set it to the port I needed so I improvised. That time thing only occurred when I was doing my AA in cyber security we had so many labs and also a red blue team exercise so I would not be surprised if an instructor wanted to expand our knowledge and see if someone went to authenticated NTP. Who knows. It was cool to be part of the nist.gov stuff. I know the latest software revision now includes the ntp stuff. I wonder if others had concerns also. The reason I NAT ntp is because not everything uses the firewall but it will use it when requests are NAT to it. Example Windows 11, Raspberry PI they request some specific sites yes I could add a dns override for them but I just NAT any requests to the firewall and it uses the nist.gov encrypted time system. So it gets secure time. The systems get the right time and it works. It seems tinfoil hat, but no issues with time jumps ever again.

I know this is an old thread but since I happened across it searching for solutions to my issue I thought I'd link this for anyone else happening by: https://docs.netgate.com/pfsense/en/latest/troubleshooting/filterdns-thread-errors.html

Thanks @Gertjan for replying. Previously when the MAC Address of all devices were required to be registered, I divided the bandwidth to different limiters and assigned the high bandwidth users together into a limiter. But this resulted in a lower available bandwidth for the other users. The current setup is because of management decision to: Remove the MAC Address registration of user's devices and Remove the limiters so that if only one device was connected then that one device gets to use all the bandwidth I think the "acceptable use" document buy-in from management is my best option for now. But if I understand correctly this can't be enforced because there's no way to know if a device was connecting to torrent. Still, thank you very much for replying and sharing knowledge :)

@patient0 Subnetting works but you've correctly pointed out the security risk. I'll re-evaluate the vlan option

@hasekd glad you got it sorted.

@viragomann Thank you. I am new in networks. I thought that Local Networks means Tunnel network. I inserted 192.168.50.0/24 into Local Networks and it works.

@johnpoz Thank you so much, all solved. I learned something else. Thanks again

Found this in the logs There were error(s) loading the rules: /tmp/rules.debug:57: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [57]: table <bogonsv6> persist file "/etc/bogonsv6" Increased the Firewall Maximum Table Entries from 400000 to 800000 and was able to do a full filter reload. So apparently I couldn't load all the firewall filters was the root issue.

@snigy is it actually blocked and not https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html ?

Last notice on this: I built a setup with a Sophos XGS which doesn't support wireguard but IPsec. There I could track traffic (but only on non-floating rules!) without any problems, matching on addresses and/or ports. So it seems to be only wireguard-related.

thank

@Gertjan said in Change TTL to Block Internet Sharing by NetShare or Bluetooth: @horasjey Ok did some searching for you. Found this Change default TTL value That was true in 2018, nothing, afaik, changed since. Global answers : pfsense change TTL. edit : @Gertjan said in Change TTL to Block Internet Sharing by NetShare or Bluetooth: Not sure if it possible with pfSense. That's a long answer for 'dono'. So how would I be able to answer : @horasjey said in Change TTL to Block Internet Sharing by NetShare or Bluetooth: here is the TTL config on the pfsense device sir? ? thanks @Gertjan

@NOCling Yes, fixed. Thanks.