Bridge mode would give your pfSense a public WAN IP so there would not be port forwarding on the Comcast. Basically, yes.

@nogbadthebad "Don't pull Routes" is ticked

@operaiter VPN type is irrelevant. You're just setting up two IP routes, nothing more. Have you enabled routing between the 2 sites? If you haven't set up appropriate routes from the 2 LANs and through pfsense, you will not be able to connect.

@062bel313 said in No internet access to VLAN when isolating it with LAN net: not sure about your questions on ACLs, no idea hehehe. What are you running for dns on 10.9? Different dns software has a feature of Access Control Lists which determine what IPs or IP ranges can do different types of queries.. Unbound and Bind both support this feature for example. Unbound running on pfsense out of the box will auto create ACL entries for locally attached networks, etc. [image: 1636564096205-acl.jpg] Here is bind package for example [image: 1636564157934-bindacl.jpg] So depending on what dns you running on 10.9 - it would be possible that you would have to edit whatever ACLs to allow for queries from your other network/vlans

@johnpoz Thank you. The logic on that option is inverted, and it didn't compute.

That's part of the nature of conservative mode -- states will pile up more. If some client behavior changes and makes the clients open more states, then they'll hang out longer. What you could do is keep the router itself on normal mode and setup custom state timeout rules to match the VoIP traffic which sets different state timeouts just for them, and perhaps only for VoIP/RTP traffic for example. Narrow down the longer state lifetimes as much as possible.

@winlin Our data center doesn't have NAT but that isn't quite what you're asking for...you are looking to have the same subnet in WAN and OPT1 which would be a bridge. In our case the router's WAN IP has the LAN subnet routed to it by the data center.

How are you using the geo blocking? It sounds like you are using geo blocking outbound traffic. I would think that geo blocking is used more on inbound traffic rules. For example you run a web server and you want to block traffic from China. Or you have VPN setup but only want to allow traffic from the US or whatever country you are in. The geo blocking works on IP addresses. But you are trying to whitelisting DNS names. A DNS query for www.domain.com can return multiple different IPs. I would instead use the DNSBL feature of pfBlocker for outbound traffic.

This was a user error. All is well.

@rasithapr said in policy based routing for usb dongle: it can be done with policy based routing. i don't know how to do that. searched It's in the manual : pfSense policy based routing. You need to create a alias will all the Youtube IP's, and use that alias in your "policy based addresses if you know the 'AS' - Youtube in this case.firewall rule". In the pfBlockerNG forum there was a thread about a month (?) ago how to such a list with IP Btw : install Youtube, and use "pfsense policy based routing" a a search phrase. You will find many video's. I wonder how you managed to miss these .... ;)

@gros4563 said in Unable to connect to a printer on the same VLAN inbetween router: what would be needed Nothing. True, the printer can not be auto discovered by the OS on your laptop, or show up by magic in Explorer (Windows). But you use the manual setup, and enter its IP address. That will work. You show a cable modem with LAN IP of 10.0.0.1 and pfsense 10.0.0.2 (using DHCP ?) on its WAN. Are you sue its a modem device ? I suspect its a router. If so, you can hook up the printer your your modem. It will get get an IP like 10.0.0.3 - and now you can also use it from your laptop using this IP.

@SteveITS From what I can tell, drivers are up to date.

@johnpoz said in Firewall blocking everything but doesn't show up in the logs: Why? Well for me, when I spent hours chasing my tail on this issue I was brand new to pFsense and my only experience to networking was plugging in a consumer router. No networking 101 for me ever, so it was like learning a foreign language. I'm far, far from an expert now. But and am miles ahead from where I was. It took a lot of getting my hands dirty in pfsense, tracking down issues in this forum and getting a lot of help from you and a lot of other folks (thanks!). Now I'm glad I have enough skill and confidence to pay it forward.

Never mind again. Found my own answer. Sorry to bug you!

@jknott ok i will make changes