@panzerscope said in Firewall Rule to allow my NAS to see outward to the internet: So all is good! Thanks for triggering something in my brain haha. No that would have ZERO to do with your wan seeing broadcast traffic from your lan network - which is broken!!

@droidus said in Blocking traffic from/to other networks/interfaces: or is there a better way to do this? I have come to the conclusion that it is always best to be very explicit with your rules vs using ! or inverse rules. If your goal is to block your game network from going to lan network, then I would put in a explicit rule that says that.. Or use a rule that lists all the rfc1918 networks, etc. There can be some odd stuff that happens when there are vips and you use bang rules.. Also its easier to read the rules if your very explicit with them vs doing inverse stuff. Here is an example of a network that is locked down from going to any of the other local networks. [image: 1637932515881-explicit.jpg] This network is allowed to ping pfsense, allowed to ask it for dns and ntp. But not allowed to talk to pfsense on any other port on any other interface (think gui or ssh for example). The this firewall alias is good because it includes your wan IP, which normally would be public and not included in the rfc1918 list, and it could change, etc. so the alias makes sure can not go to wan IP for access to say web gui, even if it changes. And then it is specifically blocked from taking to any other rfc1918 network (10/8,192.16/16 or 172.16/12) The last rule allows internet.

@mauro-tridici said in Internet navigation problem using browser on LAN client host: I forgot to ask you what kind of message I should see in this case in the logs :) Pretty anything, since I have no idea what could be the reason for now. Usually there are not really much lines written into the system log during normal operation anyway. Is this pfSense running in a VM?

This is strange. I restarted all my devices this morning, I tried it again, and it turned out that I can now open a Remote Desktop session from my external PC to my Windows VM in Proxmox in VLAN10, but I still can't ping it! UPDATE I FIXED IT!! It was the Windows firewall..that bastard :-)

@rezartlelo said in Block everything except: Sorry if the questions have already been asked but I didn't find any resource to help me. I want to block everything except WhatsApp, Google Search Email services, and a few domains. I'm trying to use of pfblocker by using DNS names, but it's not working how I want it. Can anyone please suggest a better way to work on that or an alternative solutions, Thanks Tried using ASN numbers and using them in alias in an allow rule ? [image: 1637754991913-screenshot-2021-11-24-at-11.55.15.png] Might give them a bit more access than you want, maybe tweak the dst ports as well.

@johnpoz my serial traffic like this: branches (10.0.0.08) > connected to my central office, enter a CORE (MPLS) and then firewall > Pfsense (IPSEC) and enter the tunnel, use a WEB application, the problem with logs would be generated by the fact that users leave the web application logged in and it keeps giving some refresh? and we only access the other side. would pfsense need to have static routes to branches? thanks.

@wastapi no that is the default cron that updates the IPs Is that running - I don't recall the details, but I do recall some thread or threads about aliases not updating or loading.

Sorry been away so not been back. I decided to try it and restricted to the IP I got from my mobile phone provider and it worked a charm. I guess that PFsense doesn't care about the inbound interface (by this i mean the NIC being presented internally) as pointed out by SteveITS

@steveits Hi. Thank you for the reply. So, the IP I had set was 192.168.100.1 I see that I can make assignments of a named interface to a physical port. What I don't see is how pfsense selects an interface for it's domain. It was using my bridged interface, and even survived reboots. However, today it had decided to use LAN3 interface address space for the domain found in /etc/hosts.

@octopuss if they were going to do it correctly.. They would clearly state you need to port forward or allow unsolicited inbound to your device. And they should list any specific IPs they could.. For example if coming from their network(s) - list those.. If need to be from any, say servers your hosting or whatever that other players would need to be able to connect, state that, etc.

@jimp said in pot. Bug(s) with Interface Groups & firewall rules: @jegr said in pot. Bug(s) with Interface Groups & firewall rules: Separators could be a good guess but I didn't mention them as the interface group doesn't have one. But yes, on the systems I tested with there were separators on other interfaces as we always use them for better rule grouping. It's not a guess, it's definitive. It's what xmllint flagged as invalid XML which triggered the config rollback. Just edited my post above, sorry. Seems easiest way would be to limit groups to not only disallow them ending with a digit but also starting with one.

@imthenachoman said in Is it possible to allow AirPrint from one VLAN to another without Avahi?: I'd hate to consume someone else's time with this Dude I wouldn't do it - if it didn't interest me as well.. I just need some motivation to do it, helping someone else with their issues is normally motivation for me to sit down and skin the cat the other way ;) Vs doing it the easy way...

@slepax check the state table for your connections. For instance downloading from a web site is usually governed by the connection to the web server.

@crak said in Traffic gets blocked due to default rule even after allow rule is added: Version:2.5.0-RELEASE I always wonder about how this is even possible. Where would you have gotten this install? It is no longer even available from the official downloads.. Did you download it long time ago, and just now got around to installing it? Have you had it running for while, and just now having a problem. But have not updated to current? Traffic being block by default, means there was no rule that allowed the traffic, or there was no state to allow the traffic. So what exactly is being block - a picture of the actual log entry would be very helpful, a picture of the actual rules on the interface, etc.. Common problem I see is traffic is out of state as to why blocked, or traffic doesn't match up with the source network, say multicast or ipv6, etc. https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

@steveits Ahh, I see. Thank you for the answer. Much appreciated!

@johnpoz Just a quick note, I was able to get the VIP stuff set up and working. Took a little bit to get the right pieces, but it worked pretty much as advertised in the doc you linked. Thanks

@reynold said in content filter: But i'm looking for something simpler. Go for pfBLockerNG 3.1.0. @reynold said in content filter: using snort. Would have to use TLS decoding, which brings back at "what in the TLS stream". That is, only IP source and destination, and source and destination ports are otherwise known to indicate what packets might contain (and some packet header flags).

@bmeeks It looks like you are correct. I disabled the rules with schedules, the cron job to reload filters disappeared and hostnames resolved every hour instead of 15 min. Let it be the way it is. Although, I don't understand why the scheduling system is so inefficient (maybe not the right term here) - why if I set a schedule to do something twice a week the filters have to reload every 15 min everyday.