@SteveITS From what I can tell, drivers are up to date.

@johnpoz said in Firewall blocking everything but doesn't show up in the logs:

Why?

Well for me, when I spent hours chasing my tail on this issue I was brand new to pFsense and my only experience to networking was plugging in a consumer router. No networking 101 for me ever, so it was like learning a foreign language.

I'm far, far from an expert now. But and am miles ahead from where I was. It took a lot of getting my hands dirty in pfsense, tracking down issues in this forum and getting a lot of help from you and a lot of other folks (thanks!). Now I'm glad I have enough skill and confidence to pay it forward.

Never mind again. Found my own answer. Sorry to bug you!

@jknott
ok

i will make changes

@timtrace Yep that matches my understanding.
The floating rules are basically "raw" you need to be able to specify anything you need. In/Out, interface, everything, so Quick only exists in the GUI to allow you to specify it.

If you look at the rules as they exist on the device (I go do Diagnostics, Command Prompt and then enter "prctl -sr" (that dumps the rules as they wind up after optimization and processing.

Doing this you'll notice that all your user defined rules on an interface have the quick keyword automagically added. That keeps order consistent with the GUI so a user "rules are processed top down, first match wins". Without "quick" all rules are processed top down LAST match wins.

Think of Reverse Polish Notation on the old HP calculators :)

@viragomann
I just checked today and have not made any changes and it is working. Yesterday the rule was not working. Is there a delay or something before the rule gets applied. I applied the rule and then checked from a remote server and the server was not accessible, Today it is.

@viragomann

Host override should do the trick for LAN
Fqdn works on LAN and outside

@viragomann I had the option to turn of DHCP on the WiFi router so I did that and I turned the firewall off too

I solved by removing both the gateways and the IP addresses of vmbr1 and vmbr2
Now I finally have no more interruptions and the VMs are still able to access the Internet.

@johnpoz Okay Im going to buy one. I appreciate all your help.

@eeebbune why would you think that has anything to do with pfsense?

I only have a unifi mini on my network.. And I can ping it just fine - but its also listed in my controller..

ping.jpg

You prob get better support from unifi forums..

Pfsense has hidden rules that allow pfsense to do anything it wants really.. Unless you had some floating rule that was blocking outbound on your lan - pfsense firewall would have have nothing to do with pinging something on the lan..

can you ping the switch ip from the svr? What mask are you using for lan if 10.10.10 and 10.10.20 are in the same network?

@johnpoz said in Question about the BOGON table:

and the whole ca change just turns into a whole issue

I make up the numbers, but :
Nearly everything these days is TLS based.
Our end-user certificates are short lived - as the TTL of our host names ^^. The common trusted root certificates - there aren't that many after all - will 'expire'. They often last for 3 to 5 years, so a couple of them each month will fade away, and new ones are introduced.

The bottom line is : we want to (have to !) use TLS, we want it to be 'not expensive'.
The ancient rule applies : we got to learn and maintain just another thing.

And yes, on the "what happens if you don't maintain pfSense on the (close to) latest version", I never thought about this one.

@johnpoz said in Question about the BOGON table:

To be honest not a huge fan of acme in general I like the free ssl and all, but the 90 day thing I think is too short overall

Replacing certs, back in the past, when I was using classic annually $ certs and StartTLS certs, wasn't an easy admin task. Welll ... not difficult, but user errors were not (like NOT) allowed. You had to know what you were doing.
The web server was using them, the mail server uses them. DNSSEC was involved, and some others.
Because it was a yearly (two yearly ?) task, most software upgrade and instruction about how to do so could have been changed. So, as humans - me included - are involved in this task, it was messy.
The 90 days or, what the heck : why not one one week - made it necessary to automate it. An that was an important step. It's just good as now I'm not ready to forget how it works *, and I don't have to do it manually any more, greatly narrowing down the chance of f@&ing up.

Letenscrypt works for fine for me for the last couple of years, every month several certs are auto renewed just fine. A simple mail notification informs me that all is well, and after another 15 days, if some cert is not renewing (often because the admin again f*@&ed up).

It's all one big family : to know what "https" is, you have to know what certs are, so you have to know what DNS is, etc. Basically, you have to know what Internet is so you can use it, that's the way I see it. That is, if you want to throw in pfSense in this mix.

@johnpoz said in Question about the BOGON table:

90 day thing I think

I was thinking the same thing back then. It some how vanished. Dono why ;)

** because it's automated, you have to know how it works IMHO.

@emgrogean another "hint" if you will to look at.. If these boxes are windows. When the gateway is changed.. Ie the mac address of the gateway IP, even if the same IP - like when you change routers.

Windows can change its firewall profile, because it thinks its on a different network even if the IP ranges are the same. When windows changes its firewall profile this could break some stuff.. Lets say your pos firewall rules allowed xyz before, but now vs being on a private profile your on a public profile where these things are no longer allowed.

@boxer

Because we know Facebook has it"s own AS - well, some of use knew, and since they took themselves of the net, everybody now knows ^^ : see here : How to block AS numbers??