@timtrace Yep that matches my understanding. The floating rules are basically "raw" you need to be able to specify anything you need. In/Out, interface, everything, so Quick only exists in the GUI to allow you to specify it. If you look at the rules as they exist on the device (I go do Diagnostics, Command Prompt and then enter "prctl -sr" (that dumps the rules as they wind up after optimization and processing. Doing this you'll notice that all your user defined rules on an interface have the quick keyword automagically added. That keeps order consistent with the GUI so a user "rules are processed top down, first match wins". Without "quick" all rules are processed top down LAST match wins. Think of Reverse Polish Notation on the old HP calculators :)

@viragomann I just checked today and have not made any changes and it is working. Yesterday the rule was not working. Is there a delay or something before the rule gets applied. I applied the rule and then checked from a remote server and the server was not accessible, Today it is.

@viragomann Host override should do the trick for LAN Fqdn works on LAN and outside

@viragomann I had the option to turn of DHCP on the WiFi router so I did that and I turned the firewall off too

I solved by removing both the gateways and the IP addresses of vmbr1 and vmbr2 Now I finally have no more interruptions and the VMs are still able to access the Internet.

@johnpoz Okay Im going to buy one. I appreciate all your help.

@eeebbune why would you think that has anything to do with pfsense? I only have a unifi mini on my network.. And I can ping it just fine - but its also listed in my controller.. [image: 1634753374079-ping.jpg] You prob get better support from unifi forums.. Pfsense has hidden rules that allow pfsense to do anything it wants really.. Unless you had some floating rule that was blocking outbound on your lan - pfsense firewall would have have nothing to do with pinging something on the lan.. can you ping the switch ip from the svr? What mask are you using for lan if 10.10.10 and 10.10.20 are in the same network?

@johnpoz said in Question about the BOGON table: and the whole ca change just turns into a whole issue I make up the numbers, but : Nearly everything these days is TLS based. Our end-user certificates are short lived - as the TTL of our host names ^^. The common trusted root certificates - there aren't that many after all - will 'expire'. They often last for 3 to 5 years, so a couple of them each month will fade away, and new ones are introduced. The bottom line is : we want to (have to !) use TLS, we want it to be 'not expensive'. The ancient rule applies : we got to learn and maintain just another thing. And yes, on the "what happens if you don't maintain pfSense on the (close to) latest version", I never thought about this one. @johnpoz said in Question about the BOGON table: To be honest not a huge fan of acme in general I like the free ssl and all, but the 90 day thing I think is too short overall Replacing certs, back in the past, when I was using classic annually $ certs and StartTLS certs, wasn't an easy admin task. Welll ... not difficult, but user errors were not (like NOT) allowed. You had to know what you were doing. The web server was using them, the mail server uses them. DNSSEC was involved, and some others. Because it was a yearly (two yearly ?) task, most software upgrade and instruction about how to do so could have been changed. So, as humans - me included - are involved in this task, it was messy. The 90 days or, what the heck : why not one one week - made it necessary to automate it. An that was an important step. It's just good as now I'm not ready to forget how it works *, and I don't have to do it manually any more, greatly narrowing down the chance of f@&ing up. Letenscrypt works for fine for me for the last couple of years, every month several certs are auto renewed just fine. A simple mail notification informs me that all is well, and after another 15 days, if some cert is not renewing (often because the admin again f*@&ed up). It's all one big family : to know what "https" is, you have to know what certs are, so you have to know what DNS is, etc. Basically, you have to know what Internet is so you can use it, that's the way I see it. That is, if you want to throw in pfSense in this mix. @johnpoz said in Question about the BOGON table: 90 day thing I think I was thinking the same thing back then. It some how vanished. Dono why ;) ** because it's automated, you have to know how it works IMHO.

@emgrogean another "hint" if you will to look at.. If these boxes are windows. When the gateway is changed.. Ie the mac address of the gateway IP, even if the same IP - like when you change routers. Windows can change its firewall profile, because it thinks its on a different network even if the IP ranges are the same. When windows changes its firewall profile this could break some stuff.. Lets say your pos firewall rules allowed xyz before, but now vs being on a private profile your on a public profile where these things are no longer allowed.

@boxer Because we know Facebook has it"s own AS - well, some of use knew, and since they took themselves of the net, everybody now knows ^^ : see here : How to block AS numbers??

Nevermind, I guess 19133 is for IPv6 and 25565 is for Java Edition. So, opening 19132 should do it for my setup, but I cannot join only host. Minecraft Education gets the wrong IP though.

Thanks @johnpoz for tips.

@stevogas said in redirect dns of one device to kidsafe dns: I have DoT configured, unbound, and a rule forcing all dns inquiries through the router. Are you sure that your rule to force all DNS inquiries through the router is not rerouting the host's DNS request back out through unbound? You might need to add a rule above the DNS rule that forces everything through the router. The new rule would allow the IP of the host to send traffic to 185.228.168.168, 185.228.169.168. If you need more help can you post some screenshots of your firewall rules, DNS (resolver/forwarder) and NAT redirect rules for the DNS.

@eeebbune said in Rules between two interface port tabs: server can't get packets from outside. Well to get from external you would need to create a port forward..

@ler762 said in how to block return traffic?: Want: to be able to block any traffic going through the firewall. You do that before it "enters" the firewall.. Not return traffic from traffic you already allowed! As stated already... If you do not want to allow icmp, then block it! You allowed the icmp traceroute.. So the icmp reply to your own traffic is allowed by the STATE! Simple rule on you LAN block icmp - there you go There is no freaking way you read that rfc5927, and think what you have posted has anything at all to do with your traceroute example... And the mitigations to such attacks have ZERO to do with what you have tried If your concern is mitigation of specific type(s) of attack gone over in a rfc, or elsewhere and if pfsense can or already does or what can or can not be done to mitigate such types of attacks. A better post specifically that question.. A reply from a 10 address in a traceroute is not an "attack" that needs to be mitigated ;) If what you want is the ability to filter specific types of replies to something you allowed to be asked for.. Yeah I am not aware of that "feature" in pfsense. Allow connection to any IP port X (syn) Block the syn,ack if it comes from IP A, or network B.. Not aware of such a feature.. You could maybe do such a thing with some fancy rules not creating states. The simple solution is not allow the syn to even go to IP A or network B in the first place - this stops the traffic from "going through" the firewall. But if your concern is actually can pfsense mitigate xyz attack, if so how or is it being done already would be much cleaner and better way to ask this question.

@raulchiarella you would need to setup port forwarding to stuff "behind" pfsense. Also you would need to uncheck the block rfc1918 rule on the wan.. Since more than likely the wifi off your isp device is more than likely a rfc1918 network. You would prob have a better experience moving your wifi to also behind pfsense, either just connected to your lan network or other vlans you might be using. In that scenario you would need either an AP or old wifi router you could leverage as just an AP.