@johnpoz Thank you so much again. Understand all. Couple of clarifications: Yes, understood, I was looking to be able to access pfsense and the LAN, but not the internet, in this instance. Either way, everything you said helped clarify it for me and I both understand it and got it configured and working. :)) 2a. Mine is manual, but yes, great points and idea. The allow rule you are referring to, would be an allow any and the gateway or default gateway correct? Correction: Vlan 1 includes all ports as members, then port 1 (trunk) is tagged in every vlan. Is that correct configuration? Also, on one of the switches I am looking at (all are good, one is high-end) I noticed that VLAN 1 (under its VLAN ID tab in membership), is an untagged member in every port as well. This includes ports with the assigned untagged VLAN also. That is incorrect? Should only be the vlan assigned to that port untagged, correct? Okay, and if a block egress rule in floating, that would go on the WAN or other gateway as previously discussed, correct? edit: 1 neither tagged nor untagged now in ports with other vlans untagged on them. All seems to be working, so thinking that is the correct config. :) Therefore, now not all ports are members on vlan 1, but port 1 (trunk) is tagged on each vlan on other ports. ex: VLAN ID. ** Port Member 1 ** 1 17 27 (not a member of ports with vlans assigned untagged) 10 ** 1 2 (vlan 10 U on port 2) Port 1 tagged on every vlan (formatting issue so had to use * to separate rather than columns)

@johnpoz Okay, all makes sense as always from you. Thank you. And yes, pfblocker is definitely on the list to learn and setup. Also: I just setup a new switch and it has brought me to one last issue I'm having trouble with regarding management and isolated LAN. Seems to be of interest from the posts I've read, but no real answers I've seen, so I am going to start another thread, easier to find related topic for others, with last questions for you. Hope you do not mind...

@shaungehring This sounds similar to an arp cache issue we had. We could not connect, ping it, then all was good. The network team did something to the arp cache on a switch to resolve it. I do not have details as it was many years ago. Maybe that will get you in the right direction.

@johnpoz said in IPV6 and firewall rules with dynamic IPV6: @cr8tor said in IPV6 and firewall rules with dynamic IPV6: i'm finding that the hurricane electric tunnel does not play nice with Xbox live And why is that.. the xbox wouldn't have any idea your running through a tunnel - just like your tunnel your using via 6rd.. If all you want it for is your xbox - put that on its own vlan.. Only box on that vlan - then who cares if its IPv6 address changes via 6rd.. Because a moderator on an xbox live forum said so. Please note, i did also finish with "Am still researching though." Far be it for a forum moderator to be incorrect. You sure do seem sour. Not pleasant to deal with. But alas, thanks for the suggestions anyways. I know im not always the best to deal with either so i am not flaming, just sharing. I am curious. Are you currently drunk so as "to spend time with his fools". That seems like an odd quote to have in your signature. Seems to imply we are fools.

Thanks a million @peterfranca! I had been struggling to get my Unifi switch to be adopted by my Unifi controller instance. pfSense was blocking it with the default IPv4 rule no matter what firewall rule I put in. The link you provided solved the problem. Been hitting my head against the wall for days. You are a champ. IT

Thanks a lot, @mer !!!

Thanks Jon and Steve - I very much appreciate your informative answers!

@eeebbune Any questions - please just ask, here to help!

This AS filtering works pretty well. Dono if it's perfect, but looking at the cheer number of firewall rule hits overnight, it did block a lot. I have to remove it now, as people start to look in my direction. Found this on the forum : whois -h whois.radb.net -- '-i origin AS32934' | grep ^route | grep -v route6 | cut -d" " -f7 > /var/www/block_lists/facebook.txt

@tkrausjr you have no need to add any rules on any interface dhcp is enabled. They are auto added an hidden... Look at the full rules.. https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html example these are mine.. [image: 1633545842205-rules.jpg] if you needed to add a rule for dhcp to work - and you had not rule how would it ever work.. Whatever issue your having is not related to needing a firewall rule to allow for dhcp..

@itestandroid that is just normal auto outbound nat, like this.. [image: 1633474260854-nat.jpg] Those should be all your networks/vlans and tunnel networks for say openvpn, etc. or do you mean somewhere else? I have an automatically generated rule: Picture always worth 10k words if you ask me.. What gets me thinking your not talking about outbound nat is ""WAN address"" ?? That would be like a port forward?

@fwcheck said in [zone: pf states] PF states limit reached: Moreover you should check what causes theses high states Exactly - if happens around the same time everyday.. Do you have some sort of scan taking off? That seems like a high amount of destination addresses.. Sure likes a scan of some sort to me.. You have a really low number of source IPs.. So I take it not a lot of clients? Where are all the states too? or from?

@gwaitsi said in Backdoor into Home network through company laptop: Problem is, I had both my work laptop and my wife's laptop on the same guest network. So my work penetration testing, could have potentially hit my wife's work. I assume, your guest network is a Wifi. Most wireless access points have the capability to block communication between stations connected to it within the same SSID. It's a good advise to activate this option on a guest network as there should be no need to access any other device.

As far as I know, Microsoft never published a list with domain names it uses 'to call home'. Here is the DNS list from microsoft itself, for windows 10 and 11: https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting#device-cannot-access-update-files but my personal list has some (one or two?) extra hosts, collected sniffing traffic from windows7, 8, 8.1, 10 *.prod.do.dsp.mp.microsoft.com windowsupdate.microsoft.com *.windowsupdate.microsoft.com update.microsoft.com *.update.microsoft.com windowsupdate.com *.windowsupdate.com wustat.windows.com ntservicepack.microsoft.com go.microsoft.com dl.delivery.mp.microsoft.com slscr.update.microsoft.com *.delivery.mp.microsoft.com *.wsn.windows.com

@sneakynuts said in Help with rules on vlans: Am i right in assuming that unless i have an allow rule, everything else will be blocked. Default is deny yes - there is never a reason to add a block rule at the end - unless you want it to not log, or change it to reject vs block.. Default is deny on every interface - unless you allow something it is blocked.

Both rules have logging turned on. The rule on the LAN interface shows the allow logs, but no ping reply is returned. I did a tcpdump on the device with 10.100.9.248, but I don't see the ping requests arriving at the device. [image: 1633043519876-b92b1cf7-22a7-481d-a732-4000becca98b-image.png] When pinging from 10.100.9.248, there are no logs that show up in pfSense. [image: 1633043721629-c5d1847e-fb2c-4c64-938a-69ce01b239ab-image.png] I just can't figure this out...

@loststatetable Okay last post! Apparently, it's an issue with plex. They just updated that they're having remote SSL connection issues. I checked https://status.plex.tv/ when I first started troubleshooting but they hadn't updated it yet. Checking now will show that there are issues.