@bars your wan would be how pfsense gets to other networks its not attached too. Normally this would be just a public internet IP. Or if behind a nating device from your isp, it could be just rfc1918 address..

A wan is the network a router uses to get to other networks its not attached to..

The wan net alias, is just that the network your "wan" interface is connected to. Yes the wan IP would be included in that alias, since it is the whole network that interface is attached to.

@tomatonoheta Those all out of state blocks. Your traffic flow is asymmetrical most likely.. But odd that is not SA.. (syn,ack)

If pfsense was blocking syn, you would have issue but those are Acks being blocked not the syn.

Why are you hiding rfc1918 addresses?

So I was able to find a bug report about this problem and its due to a chrome issue. I am using Brave so I guess it would be a similar issue. I was able to easily fix this by just clearing the cookies and site data. The bug report was 5 years old and says it was to be fixed but I guess the problem is still happening. Luckily its an easy fix and not something major.

Original Bug Report

@elrick75 said in Ping rules, put it at the bottom or at the top of the rules list ?:

but I don't know if I should put it at the bottom or at the top of the rules list

Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated. So as @viragomann was saying as long as your rules don't have anything that conflicts say a block or a policy route that would trigger on your traffic it doesn't really matter.

Simple thing to do when you add a rule is walk down the rules from the top, will anything trigger that would do something with my traffic I don't want.. For example with ping, say if you wanted to allow IP xyz to ping but no other devices to ping, and you purpose put a block all icmp rule above your allow specific icmp rule. Then your specific icmp rule would never be seen, it would need to go above your block all icmp rule.

@viragomann
Thx, got that as you were typing I think. Brilliant!

@daddygo
I really appreciate the great answer. I see! I think I should go with both, but budget is something I am considering. I really miss time these days for my very small company and I am trying to keep costs as low as possible. However, I will really look at CWAF. It seems really promising!

Thanks again.

On a LAN, a computer talks directly to others on the same LAN. Otherwise you would have to have ALL of your LAN traffic pass through pfSense, effectively making the total speed of your entire LAN the speed of one pfSense port.
To do what you want place the computers your want to protect an a different LAN, this will cause the computers to talk to their default gateway (pfSense) to talk to the protected PCs. Then pfSense will see the traffic and apply your rules.
Buy your friend a nice gift.

@jamestek

update :

reset to factory settings, setup PFSense again, applied rules which worked before now none of them are working

@johnpoz I managed to show packets when I sniffed the public IP address which for obvious reasons I'm not posting here lol. I might have found my problem though I will post later if it works.

@jonathanlee you mean in the firewall rules - yes you can turn off listing the rules in the firewall listing.

rules.jpg

@johnpoz ok I got it working!!! you were right, I need source NAT to work with the device. I had to read the docs and some forums posts about that because I did not know how to do that.

The solution for those who wants to do the same config

red8.jpg

REMEMBER to change before that sccreen, to "Hybrid Outbound NAT rule generation.
(Automatic Outbound NAT + rules below)" mode. If you create the rule without changing the mode, it will show greyed out and of course, it will not work.

John, thanks a lot for your patience and for guide me to the solution. Regards!

@jonathanlee you don't need to adjust those.. Those are out of state..

https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

edit: btw not mentioned in that article - but can also cause those is something like a cell phone switching between its wifi and cell and trying same connection.

Or a device that has been in standby, and coming out and trying to use or close its old sessions while the firewall has already timed out the session.

Those are closing flags, RA and FA.. Could just be the states were reset on the firewall (say internet loss and pfsense set to reset states).. When you see lots of say SA, those scream of asymmetrical traffic flow.

If your states have been reset, and the client determines that hey this session is no longer working - it will try and close the state sending Fin and even Reset.. Before it sends a new syn to open another session.

@skilledinept
@viragomann

I really appreciate your precious replies.
Now I understand the differences between them.

Thank you.

Thank you all for these very interesting replies!! 🙂

David

@3ronic said in Changes made to default LAN affects every VLAN. Some clarifications needed.:

Now if I then add a DNS rule on LAN to just my Pi-Hole and exclude all other external DNS servers (same rules as my VLANs),

Well yeah - pihole is trying to ask cloudflare for IP address of google - you just blocked that.. So nothing on any of your networks would be able to resolve anything.. Because your blocking 10.10.10.6 from going to clouldflare..

Such a rule on lan makes not sense anyway allowing lan to talk to 10.10.10.6 stuff on lan doesn't route to pfsense to talk to stuff on lan.. So that rule is pointless, but what is a problem is your blocking all other dns so pihole can not talk to clouldflare.

As to getting timeouts now and then to cloudflare - that has something to do with your connection to them, or them, etc. It could be something as simple as your asking for something that is not cached by them, and it takes a bit for them to resolve it..

If you want to stop your lan from talking to other dns - then you would need at min a rule to allow your pihole to talk to clouldflare IPs.

If you want to disable IPv6, turn off the dhcpv6 and and RA, then you can change the tracking setting.

@viragomann i've resolved.

I disabled the outbound NAT on the pfSense and I've added a static default route to my home router (Fritzbox).
Now I can succesfully ping and reach the devices on the "internal" LAN of pfSense.

@aduzsardi the only way that makes sense is not understanding what a source or a destination is or what flow of the traffic is. That rules are evaluated INBOUND.. Not outbound..

There are many a thread where we go over this.. When would you like to stop traffic, before it enters and flows across your firewall, or on its way out..

The only time such a rule makes sense

outbound.jpg

If you were trying to stop traffic from leaving the firewall..

https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering
traffic need only be permitted on the interface where it enters the firewall.

https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html#rule-methodology

rules on interface tabs are applied on a per-interface basis, always in the inbound direction on that interface. This means traffic initiated from the LAN is filtered using the LAN interface rules. Traffic initiated from the Internet is filtered with the WAN interface rules.

In the above rule shown, you would be blocking traffic as it exits the interface into the opt2 network. So the firewall already created a state, and had to process the traffic - just to block it?

Its better to stop the traffic before it enters the firewall, before it had to be processed and a state created. So if you do not want opt1 talking to opt2, you block that traffic at opt1 interface.

I have used this analogy before. If you wanted to prevent someone from getting to your back yard. Would you stop them at the front door before they even entered the house. Or would they just walk in the front door, track mud all over the clean floors in your house, and then just as they were trying to step into the backyard you would stop them at the back door?

So now you have to go clean up all the mud they tracked in, or would it be better to check that their feet are clean, and you know them and want them in your backyard before they even enter the front door ;)

Now if you want extra or special type of rules, you can add them in the floating tab in the "outbound" direction. Maybe you don't want anyone allowed into the master bedroom, but you already let them in the front door because they can go everywhere else, and you didn't want to check if they were going to master bedroom when you let them in..

This methodology is common across really any stateful firewall.. You filter traffic before it enters the firewall, since if you let into the firewall the firewall had to process it and create a state..

Is the issue the users are reading the docs and not grasping it.. If so then yes it needs to be explained better or with simpler terms. Or is it they are just not reading them at all. If the first - maybe we could add pictures or something explaining the concept better.

In my experience most users don't read the manual.. I know how this TV works, and sure they might plug it in, hook it up, get logged into "netflix" etc.. But only go to the manual when something is not working, and if they can not figure it out. Or just call support ;) because they don't want to read the manual ;)

I do this myself, pretty much everyone does.. I know how my new fridge works ;) But this new one connects to wifi.. I had to look in the docs for how to do that, sure I could of clicked on the little wifi button hoping it connected.. But in the docs it tells me hold it for 3 seconds until it starts flashing, and have to use the app on the phone and connect to the new wifi network the fridge creates to be able to tell it what wifi and psk to use to connect my network, etc..

If I didn't need/want to use the wifi function there would of been no need for me to reference the manual. Which is the case with many a post here.. Out of the box pfsense is pretty easy to use.. You plug it in, follow the bouncing ball guide as you access its web interface, click a few buttons and hey internet works.

Only when you want to start doing something outside that use case would they "need" to reference the manual.. Which did they do?? Or did they just post here when it didn't actually work.. Like the wifi button on my fridge ;)