Thanks everyone! My confusion was with 'blocking' - I thought it was a too way street. Now I understand it only prevents the source from Initiating a connection, but not replying to a request.

@briankoch709 said in Firewall policies work (sometimes): For a stretch of 15-20 minutes, working firewall policies stop working, resulting in blocked traffic. And then after some time, traffic will then be allowed. It's occurring quite regularly, and getting frustrating with my customer. What services do you have enabled? checks the status of your gateway during the period of time that the rule stops working. and post your full logs! please (not from the dasboard)

@furom well you could always test by trying to create connects your rules should block and set them to log and see if the block is logged, etc. But to be honest I have never seen an issue where rules were not what they say they are.. If having problems with say block rules not working - most likely an existing state that is allowing, etc. Being a good netizen I have an outbound rule to block rfc1918 that shouldn't go to the isp, ie if I typo something locally or something.. If there is no local network your trying to get to, then yeah pfsense would route that out the public internet, wouldn't get very far ;) But sure if you don't want to send such possible noise to your isp you could create an outbound block rule in floating for the rfc1918 space.. [image: 1642776409367-blockrfc1919outbound.jpg]

@johnpoz Here is the DMZ rules now and is it completely separated from LAN and future VPN? [image: 1642722959246-screen-shot-2022-01-20-at-5.41.37-pm.png] [image: 1642731590487-screen-shot-2022-01-20-at-8.19.03-pm.png]

@dma_pf Yes. As I said "NAT and firewall rules don't seem to help." I've done it, with logging. At this point my initial goal is to see the packets in a log. No success to date. tcpdump easily finds them with a port filter ;)

@darkcorner said in Tips for IP with CIDR Summarization: This is for each office, both central and remote. Instead, I was thinking of using a configuration with now 192.168.0.0/20 In this way I would have: 192.168.16 - 31.x for the head office 192.168.32 - 47.x for the first remote office ... The broadcast address is the last IP address in the subnet and the network the first. I'd leave spare subnets at the top of each range unused incase you have any extra requirements at each site, i.e:- Site 1 192.168.0.0/20 192.168.0.0/24 WAN network 192.168.1.0/24 LAN network 192.168.2.0/24 OPT1 / DMZ1 network 192.168.3.0/24 OPT2 / DMZ2 network 192.168.4.0/24 Spare 192.168.5.0/24 Spare 192.168.6.0/24 Spare 192.168.7.0/24 Spare 192.168.8.0/24 Spare 192.168.9.0/24 Spare 192.168.10.0/24 Spare 192.168.11.0/24 Spare 192.168.12.0/24 Spare 192.168.13.0/24 Spare 192.168.14.0/24 Spare 192.168.15.0/24 Spare Site 2 192.168.16.0/20 192.168.16.0/24 WAN network 192.168.17.0/24 LAN network 192.168.18.0/24 OPT1 / DMZ1 network 192.168.19.0/24 OPT2 / DMZ2 network 192.168.20.0/24 Spare 192.168.21.0/24 Spare 192.168.22.0/24 Spare 192.168.23.0/24 Spare 192.168.24.0/24 Spare 192.168.25.0/24 Spare 192.168.26.0/24 Spare 192.168.27.0/24 Spare 192.168.28.0/24 Spare 192.168.29.0/24 Spare 192.168.30.0/24 Spare 192.168.31.0/24 Spare You could even split a /24 into a /25:- 192.168.31.0/24 Spare split into /25 would give you:- 192.168.31.0/25 192.168.31.128/25 https://packetlife.net/media/library/15/IPv4_Subnetting.pdf

@dlewis_nepean So tested the recommendation and it doesn't seem to work. I have a PPPOE interface plus a /29 so 6 ip's total. the PPPOE interface is the one I use as my general nat. when I put that IP in the override wan address ( I even rebooted). The same situation happens. the 8081/8082 ports which are on one of the other ip's fail. The Device that is using the uPNP reports the correct external address. but when I go to the status page in pfsense, the entries that show those ports and internal IP show "any" under Ext IP.

@viragomann Perfect, missed that one, thanks!

@cathal1201 Sorry, it looks like I'm a little behind on the timing of your responses and me typing mine. Ok, so if that's not working, you can also make the opposite - a pass rule with the time frame you want the IP address to have access. But, in this case, you have to also setup a BLOCK or DENY rule immediately under it, no schedule, for the same IP address. I'm gonna be honest, it's a little bit difficult to setup a schedule-based rule in pfsense, since it's a stateful firewall, and states aren't necessarily dropped like you/we are hoping. You have to try either one of these methods until you get one to work. In my opinion, it should be a lot easier than this, but it it what it is...

@peter247 when connecting routers there really should be a transit network (no hosts on this network) this prevents asymmetrical flow that can happen when you talk to devices that sit on the network between routers.. I have gone over this countless times... Here is old post with some drawings explaining the problem. https://forum.netgate.com/post/865509 If you only have 1 router, pfsense and your networks all are connected to pfsense - then you don't have asymmetrical flow as long as these devices can not talk to each other in some other way that does not flow through pfsense.

I had the same issue after updating to 21.05.2. For my use case the easyrule script is a somewhat critical need. I have never applied a manual patch on pfsense before, but this one was relatively easy. I basically took the new easyrule script from the redmine, and dropped it in usr/local/bin. (replacing the previous easyrule). And it works fine now.

@hescominsoon without you showing us what you had done its not possible for us to know what you might have been doing wrong. But to be honest inverted or ! rules are not how I would suggest you do it. Allow what you want to the firewall, icmp, dns, etc. Then create a block rule with your rfc1918 alias, then below that an any any rule. Here is an example set of rules. That prevent a vlan/network from talking to any other rfc1918 networks, and still allows internet [image: 1642334126982-rules.jpg] ! rules can work, and do - but there are some scenarios where they could be problematic, its just better to set explicit rules. Much easier to read and understand from a quick glance of your rules as well. The block to "this firewall" prevents this vlan from accessing the web gui of pfsense on its wan IP, which quite often is public IP, and without that rule would be allowed via the any any internet rule.

I found the problem. [image: 1642182360161-0089fae6-f2a8-405d-818d-8a40648a0bf7-image.png] The virtual machine can now access the internet.

@sp00ky These : [image: 1642148811043-33fef112-7eba-4b44-bd64-e8d63d6f9a9f-image.png] [image: 1642148830878-b2d7d122-5d86-4e34-a0fe-7293654ff378-image.png] If you suspect DNS issues, I advise you eliminate all third parties. The first image : wipe them all. This is the default. The second image : When checking "DNS server override" pfSene will use the DNS info received when establishing the uplink to your ISP. This means you'll be using the DNS servers that your ISP suggested. This method is what our ISP rouyters use, very popular in the past. What pfSense does, out of the box : it resolves. This means that it uses one or more main root DNS servers. There are 13 of them. IPv and IPv6 The addresses are build in, as they are very fixed and static. These main servers know where to find all the com org net us, any known TLD name servers. All these tld servers are cloned all over the place, so there is always one near by. One goes down ? No problem, another one will do the job. These tld servers maintain the domain name records that are accessible by the registrar : when you rent a domain name, the registrar writes into the tld the domain name and the domain name servers of your domain name. There must be at least 2 domain name servers. These domain name servers of a domain name can tell you (pfSense, your browser etc) what the IPv4 is for a given domain, what the MX is, the IPv6, or an alias, or whatever TXT field. If you can not resolve spotify.com : use nslookup and siwth to trace mode, or use the console access on pfSEnse, and ask for 'why ?' : dig @127.0.0.1 spotify.com +trace Knowing that spotify is not a small player on the Internet, there must be an answer. No or wrong answer means : Your uplink is bad, Your ISP has peering issues ? Your ISP, or someone upstream, is changing your DNS requests ? The resolver, unbound has issues ? ( check the pfSense resolver logs ) And last, but not least, facebook has learned us that even the big companies themselves can have 'internal' issues that removes the access to all of their own domain name servers. The biggest bottleneck is always : your uplink - and anything close to that uplink. pfSense, the resolver, on an average box, can handle you thousands of DNS requests and answers a second. These have to 'fit' over the uplink. Your ISP will route them then to the DNS server the resolver chose to work with. This method is created, tested, by billions, and this is done over 30 or 40 years. Of course, you could use some external DNS server, like 8.8.1.1 - or the DNS server of your ISP. Just say to yourself : why would do these servers exist, knowing that they cost (hundreds of) millions every year to maintain ? 8.8.1.1 is a resolver, just like the one pfSense uses. So my thoughts are : when doubt, use the shortest road, exclude all non needed factors. Btw : I excluded local problems like a bad WAN interface of pfSense. You mentioned one domain name, and not overall bad 'access quality'.

@johnpoz said in traffic in wan: And gain your "users" have no complaints of anything be slow or not working? Exactly, nobody is complaining about anything and in the firewall you continue to see this type of traffic.

@bluesun, no I haven't.

@frodo problem is you don't know what disector to use, or you need to write one to be able to view the details of that payload you see there in DATA.. You would need help from the vendor, or you need someone that does that sort of thing.. That could be completely benign and be just some info in a json file, or it might not be.. With the noise for example I showed you there are lots of people that have dug into that and listing what is being sent, etc. For that - You could try decoding it as different stuff in wireshark. https://ask.wireshark.org/question/20679/how-to-decodedecrypt-udp-packet-data/