@chooks none of those rules do anything below this one.. [image: 1631695258990-any.jpg] The only reasons you seeing traffic on them - is at some point the rules were in different order. Reset you counters and you will see none of those rules will trigger. run pfctl -z it will clear all those counters. Since you have any any rule at bottom - change that rule to lan net to opt net to allow access to your opt net.. putting that rule at the top like you have it invalidates all the rules below it.

OK i got it! when i block UDP traffic from LAN see rule (or image below) to the IPcam ipaddress it works as it should. what i think happened is that default UDP doesn't work, still don't know why btw, then the camera is forced to use TCP. Its just a guess. [image: Capture.png]

@johnpoz so I did a packet capture when I try to connect to the web gui 21:02:36.436777 IP 192.168.1.142.53204 > 192.168.121.40.80: tcp 0 21:02:36.458198 IP 192.168.121.40.80 > 192.168.1.142.53204: tcp 0 21:02:36.460112 IP 192.168.1.142.53204 > 192.168.121.40.80: tcp 0 21:02:36.460613 IP 192.168.1.142.53204 > 192.168.121.40.80: tcp 470 21:02:36.708824 IP 192.168.1.142.53204 > 192.168.121.40.80: tcp 470 21:02:37.017430 IP 192.168.1.142.53204 > 192.168.121.40.80: tcp 470 21:02:37.617359 IP 192.168.1.142.53204 > 192.168.121.40.80: tcp 470 21:02:38.817678 IP 192.168.1.142.53204 > 192.168.121.40.80: tcp 470 21:02:39.646716 IP 192.168.121.40.80 > 192.168.1.142.53204: tcp 0 21:02:39.647974 IP 192.168.1.142.53204 > 192.168.121.40.80: tcp 0 21:02:41.218083 IP 192.168.1.142.53204 > 192.168.121.40.80: tcp 470 21:02:45.946981 IP 192.168.121.40.80 > 192.168.1.142.53204: tcp 0 21:02:45.948169 IP 192.168.1.142.53204 > 192.168.121.40.80: tcp 0 21:02:46.026053 IP 192.168.1.142.53204 > 192.168.121.40.80: tcp 470

@nogbadthebad, I could, but I don't know it it's worth the effort if this issue will be addresses by an updated bogon table.

Hi all, Well the correct drivers have solved the problem, moved TB of data in stings of over 8TB and no crash..... I am however going off and getting a intel 340-t4 card as I don't want to get caught with needing to install separate drivers again, I am of the "It works out of the box" camp. Also the better card will assist in offloading etc Cheers all

Here is a link to the official documentation for the pfctl utility in FreeBSD: https://www.freebsd.org/cgi/man.cgi?query=pfctl&apropos=0&sektion=8&manpath=FreeBSD+12.2-stable&arch=default&format=html. Within pfSense, "aliases" are actually implemented as pf tables. So you could create one or more aliases, and then use the pfctl utility to populate those aliases (or tables) with IP address info. But you can't literally create an entire rule this way. Tables hold only IP information. They do not hold rule action or traffic protocol information. So that goes back to my original reply -- "there really is no API exposed for this."

@johnpoz Thank you

How can i increase time out ?

@johnpoz Thanks for this, will give this a try.

@skilledinept said in How do I match tagged traffic?: Then I reread the docs really slow out loud LOL. That has helped me in life too. Glad you got it sorted. I also have found it helpful to look at states when matching traffic because things like a web server response (download) are via an incoming state (HTTP get).

@matt_indy said in Simple allow rule is still blocking... please help: So many voices online (including netgate resources) say deny all then allow only what you need. From a security point of view - yes this is the correct stance. But in a home network it not very viable.. Unless you want to become full time IT for your home users? In a corp setup when user(s) need access to some odd ball resource. Its either allowed or denied. If allowed and doesn't work through proxy than specific exception made on the firewall that allows said access with sure the outbound port, along with destination.. You be hard to find any security folks that would say oh you need port X, where do you need that too.. What is the IP, or IP range that you need X too.. Oh the all freaking internet - yeah sorry no ;) As a learning exercise sure - look how fast you found out its not really a viable solution in a home setup where stuff other than browsing the web is used ;) Dad my new game doesn't work again!! How often you want to hear that? ;) How many corp networks allow you to use facetime for example on their corp wifi tied to all the corp services? That should be like ZERO! Other than some small ma and pa shop... You want to use facetime - use your cell data package. Or connect to the guest wifi network that isn't tied to corp anything.

@chrisjenk said in Firewall log flooded with these messages: to network f::/4, yet somehow it doesn't match this traffic Why would you think that would match? The range of f::/4 would be like 0000:0000:0000:0000:0000:0000:0000:0000 to 0fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Even if it did - why would you open up such a wide area? Multicast dns is always going to be to ff02::fb, so just set your rule for that As to blocking it - its blocked by default, if you don't want to log it then create a rule that doesn't log traffic to ff02::fb, Only reason you would need to allow that is if you were doing something with avahi. pfsense not going to answer a mdns query, and its not going to route it anywhere either.

@_neok When you say no changes, you're looking at Diagnostics/Backup & Restore/Config History? Is it possible it booted and for some reason restored/recovered an old config file? I seem to vaguely recall reading about that somewhere, if the config file was corrupt, but can't find that right now.

Hi, i have now reinstalled pfsense on a new harddisk, now dns works without forwarding. Thank you all, brickone

Hi @brownie and @aomiglionni, I have the same scenario and I am having the same issue. I have created rules in the nsg allowing all the ports, because, as @Brownie says, the default rules stop all the ports. But the problem of connection persist.

Thank you, but I want to use ros for my main route. Then pfsense is only responsible for IDS and IDP functions

Not exactly sure what your trying to accomplish here... The default lan rules already do exactly what you want.. your lan net is allowed, if its not lan net as source.. Then its blocked.. Also its your lan - why would there ever be anything other than lan as source on the lan? If there was, its not going to work anyway ;)