@viragomann i've resolved.

I disabled the outbound NAT on the pfSense and I've added a static default route to my home router (Fritzbox).
Now I can succesfully ping and reach the devices on the "internal" LAN of pfSense.

@aduzsardi the only way that makes sense is not understanding what a source or a destination is or what flow of the traffic is. That rules are evaluated INBOUND.. Not outbound..

There are many a thread where we go over this.. When would you like to stop traffic, before it enters and flows across your firewall, or on its way out..

The only time such a rule makes sense

outbound.jpg

If you were trying to stop traffic from leaving the firewall..

https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering
traffic need only be permitted on the interface where it enters the firewall.

https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html#rule-methodology

rules on interface tabs are applied on a per-interface basis, always in the inbound direction on that interface. This means traffic initiated from the LAN is filtered using the LAN interface rules. Traffic initiated from the Internet is filtered with the WAN interface rules.

In the above rule shown, you would be blocking traffic as it exits the interface into the opt2 network. So the firewall already created a state, and had to process the traffic - just to block it?

Its better to stop the traffic before it enters the firewall, before it had to be processed and a state created. So if you do not want opt1 talking to opt2, you block that traffic at opt1 interface.

I have used this analogy before. If you wanted to prevent someone from getting to your back yard. Would you stop them at the front door before they even entered the house. Or would they just walk in the front door, track mud all over the clean floors in your house, and then just as they were trying to step into the backyard you would stop them at the back door?

So now you have to go clean up all the mud they tracked in, or would it be better to check that their feet are clean, and you know them and want them in your backyard before they even enter the front door ;)

Now if you want extra or special type of rules, you can add them in the floating tab in the "outbound" direction. Maybe you don't want anyone allowed into the master bedroom, but you already let them in the front door because they can go everywhere else, and you didn't want to check if they were going to master bedroom when you let them in..

This methodology is common across really any stateful firewall.. You filter traffic before it enters the firewall, since if you let into the firewall the firewall had to process it and create a state..

Is the issue the users are reading the docs and not grasping it.. If so then yes it needs to be explained better or with simpler terms. Or is it they are just not reading them at all. If the first - maybe we could add pictures or something explaining the concept better.

In my experience most users don't read the manual.. I know how this TV works, and sure they might plug it in, hook it up, get logged into "netflix" etc.. But only go to the manual when something is not working, and if they can not figure it out. Or just call support ;) because they don't want to read the manual ;)

I do this myself, pretty much everyone does.. I know how my new fridge works ;) But this new one connects to wifi.. I had to look in the docs for how to do that, sure I could of clicked on the little wifi button hoping it connected.. But in the docs it tells me hold it for 3 seconds until it starts flashing, and have to use the app on the phone and connect to the new wifi network the fridge creates to be able to tell it what wifi and psk to use to connect my network, etc..

If I didn't need/want to use the wifi function there would of been no need for me to reference the manual. Which is the case with many a post here.. Out of the box pfsense is pretty easy to use.. You plug it in, follow the bouncing ball guide as you access its web interface, click a few buttons and hey internet works.

Only when you want to start doing something outside that use case would they "need" to reference the manual.. Which did they do?? Or did they just post here when it didn't actually work.. Like the wifi button on my fridge ;)

@pino121 diagnostic menu, states

states.jpg

You can filter it on specific ips or ports, etc.

filter.jpg

@panzerscope said in Firewall Rule to allow my NAS to see outward to the internet:

So all is good! Thanks for triggering something in my brain haha.

No that would have ZERO to do with your wan seeing broadcast traffic from your lan network - which is broken!!

@droidus said in Blocking traffic from/to other networks/interfaces:

or is there a better way to do this?

I have come to the conclusion that it is always best to be very explicit with your rules vs using ! or inverse rules.

If your goal is to block your game network from going to lan network, then I would put in a explicit rule that says that.. Or use a rule that lists all the rfc1918 networks, etc.

There can be some odd stuff that happens when there are vips and you use bang rules.. Also its easier to read the rules if your very explicit with them vs doing inverse stuff.

Here is an example of a network that is locked down from going to any of the other local networks.

explicit.jpg

This network is allowed to ping pfsense, allowed to ask it for dns and ntp. But not allowed to talk to pfsense on any other port on any other interface (think gui or ssh for example). The this firewall alias is good because it includes your wan IP, which normally would be public and not included in the rfc1918 list, and it could change, etc. so the alias makes sure can not go to wan IP for access to say web gui, even if it changes.

And then it is specifically blocked from taking to any other rfc1918 network (10/8,192.16/16 or 172.16/12)

The last rule allows internet.

@mauro-tridici said in Internet navigation problem using browser on LAN client host:

I forgot to ask you what kind of message I should see in this case in the logs :)

Pretty anything, since I have no idea what could be the reason for now.
Usually there are not really much lines written into the system log during normal operation anyway.

Is this pfSense running in a VM?

This is strange. I restarted all my devices this morning, I tried it again, and it turned out that I can now open a Remote Desktop session from my external PC to my Windows VM in Proxmox in VLAN10, but I still can't ping it!

UPDATE

I FIXED IT!!

It was the Windows firewall..that bastard :-)

@rezartlelo said in Block everything except:

Sorry if the questions have already been asked but I didn't find any resource to help me.
I want to block everything except WhatsApp, Google Search Email services, and a few domains. I'm trying to use of pfblocker by using DNS names, but it's not working how I want it.
Can anyone please suggest a better way to work on that or an alternative solutions,
Thanks

Tried using ASN numbers and using them in alias in an allow rule ?

Screenshot 2021-11-24 at 11.55.15.png

Might give them a bit more access than you want, maybe tweak the dst ports as well.

@johnpoz my serial traffic like this: branches (10.0.0.08) > connected to my central office, enter a CORE (MPLS) and then firewall > Pfsense (IPSEC) and enter the tunnel, use a WEB application, the problem with logs would be generated by the fact that users leave the web application logged in and it keeps giving some refresh? and we only access the other side. would pfsense need to have static routes to branches? thanks.

@wastapi no that is the default cron that updates the IPs

Is that running - I don't recall the details, but I do recall some thread or threads about aliases not updating or loading.

Sorry been away so not been back.

I decided to try it and restricted to the IP I got from my mobile phone provider and it worked a charm. I guess that PFsense doesn't care about the inbound interface (by this i mean the NIC being presented internally) as pointed out by SteveITS

@steveits Hi.

Thank you for the reply.

So, the IP I had set was 192.168.100.1

I see that I can make assignments of a named interface to a physical port.

What I don't see is how pfsense selects an interface for it's domain.

It was using my bridged interface, and even survived reboots.
However, today it had decided to use LAN3 interface address space for the domain found in /etc/hosts.

@octopuss if they were going to do it correctly.. They would clearly state you need to port forward or allow unsolicited inbound to your device. And they should list any specific IPs they could.. For example if coming from their network(s) - list those.. If need to be from any, say servers your hosting or whatever that other players would need to be able to connect, state that, etc.

@jimp said in pot. Bug(s) with Interface Groups & firewall rules:

@jegr said in pot. Bug(s) with Interface Groups & firewall rules:

Separators could be a good guess but I didn't mention them as the interface group doesn't have one. But yes, on the systems I tested with there were separators on other interfaces as we always use them for better rule grouping.

It's not a guess, it's definitive. It's what xmllint flagged as invalid XML which triggered the config rollback.

Just edited my post above, sorry.

Seems easiest way would be to limit groups to not only disallow them ending with a digit but also starting with one.

@imthenachoman said in Is it possible to allow AirPrint from one VLAN to another without Avahi?:

I'd hate to consume someone else's time with this

Dude I wouldn't do it - if it didn't interest me as well.. I just need some motivation to do it, helping someone else with their issues is normally motivation for me to sit down and skin the cat the other way ;)

Vs doing it the easy way...

@slepax check the state table for your connections. For instance downloading from a web site is usually governed by the connection to the web server.

@crak said in Traffic gets blocked due to default rule even after allow rule is added:

Version:2.5.0-RELEASE

I always wonder about how this is even possible. Where would you have gotten this install? It is no longer even available from the official downloads.. Did you download it long time ago, and just now got around to installing it? Have you had it running for while, and just now having a problem. But have not updated to current?

Traffic being block by default, means there was no rule that allowed the traffic, or there was no state to allow the traffic.

So what exactly is being block - a picture of the actual log entry would be very helpful, a picture of the actual rules on the interface, etc..

Common problem I see is traffic is out of state as to why blocked, or traffic doesn't match up with the source network, say multicast or ipv6, etc.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

@steveits Ahh, I see. Thank you for the answer. Much appreciated!