@GPz1100 I would guess your floating rule is allowing it if/since you're not blocking those ports otherwise. But, you say FTP transfer didn't work?

Passive FTP ports are controlled by the server. Some use all 1024 through 65535.

FWIW I usually prefer two rules just for clarity.

The floating vs interface rule order may be involved here, too:
https://docs.netgate.com/pfsense/en/latest/nat/process-order.html

Yes, its right.
VLANs are sub interface on the ix1, add under: Interfaces/Interface Assignments

@doiiido Thanks -- as much as I held off I just went with OPNSense for my Azure deployments. Hopefully Netgate addresses the issue in CE but I suspect they've blocked Azure Hardware IDs from getting updates if they're not paying and CE got included in that.

Ok, so i got it sorted.

TL;DR : A captive portal was enable and behave strangely on the SSID it was enabled on, wasn't showing when connecting, and cause the NG-2100 to drop packets.

I first tried with a new NG-2100 in a lab, same configuration, and everything worked perfectly, so I suspected an issue with the LAN in production.
I tried multiple thing, got some packet captures, and saw that UDP was working fine, everything in local was working fine, and TCP SYN packets were going out, but SA were block going back
I tried to make an untagged port on the L2 switch with VLAN tag 2U to try without WLAN, and everything worked fine.

I then tried to switch the VLAN on the SSID that was not working to go from 2T as 1U and figured out that there was a captive portal enabled on this SSID, probably from an old config that wasn't causing issue with old router. For whatever reason, the captive portal wasn't showing on this SSID when VLAN tagging was enabled, but was acting weird with TCP requests I guess.

Removed captive portal, everything worked fine.

Notice the same behaviour
It appears an alias containing two FQDN which resolve to the same IPv4 address are not included in the table at all about 50% of the time.

Tested in pfsense v2.7.2

Same problem here. I have an explicit pass rule for IGMP traffic that I enabled IP options on. The traffic is passing (verified with a tcpdump filter of igmp and ip[0] > 69) and yet filterlog is still recording it as being blocked and filling up the logs. The traffic is matching the rule without a log option...

This feels like a regression, but this bug says it's not.

@Gertjan Yea, I know that look fine because its from NetGate docs! Want to warry that as mentioned above you told that rule source LAN can not be for WAN)))

@SteveITS said in Cant create or edit aliases.:

@musicwizard Actually 2.7.2 is the latest.

Are you saving the page with a blank field maybe? It looks like it is trying to write a blank value at the beginning of the error.

i checked the update it said 2.7.1 but it was on previous stable selection. Updating now,

edit:

getting an error during update
updating the EFI loader
install: //boot/efi/efi/boot/INS@fmTwZj: Input/output error
pkg-static: POST-INSTALL script failed
failed.
Failed

@Antibiotic said in Additional protection beyond the basic set up:

Lets say if someone will scanning my pfsense for ports and etc.

And out of the box pfsense would be completely "stealth" if you will - there are no open ports to world out of the box.. So scanning your public IP would give them nothing.

@techpro2004 said in ssh wan block bug:

How do I figure out where the filter logs are from.

What do you mean its right there in the log who is sending the traffic.. For starters I would remove the bridge.. then you can filter on your interfaces where noise is coming in easier to not log it.

May 13 14:00:00 pfSense filterlog[7432]: 2,,,1000000101,ix0,match,block,in,4,0x0,,128,46560,0,none,17,udp,256,169.254.14.211,192.168.1.27,1900,60690,236

This is just pure noise.. You got something with APIPA address, ie didn't get a dhcp address? Sending SSDP to 192.168.1.27..

May 13 14:00:00 pfSense filterlog[7432]: 4,,,1000000103,bridge0,match,block,in,4,0x0,,1,48715,0,DF,17,udp,863,192.168.1.4,239.255.255.251,37810,37810,843
May 13 14:00:00 pfSense filterlog[7432]: 4,,,1000000103,bridge0,match,block,in,4,0x0,,1,34515,0,DF,17,udp,691,192.168.1.14,239.255.255.251,37810,37810,671
May 13 14:00:00 pfSense filterlog[7432]: 4,,,1000000103,bridge0,match,block,in,4,0x0,,1,64642,0,DF,17,udp,691,192.168.1.16,239.255.255.251,37810,37810,671
May 13 14:00:00 pfSense filterlog[7432]: 4,,,1000000103,bridge0,match,block,in,4,0x0,,1,9381,0,DF,17,udp,690,192.168.1.12,239.255.255.251,37810,37810,670
May 13 14:00:00 pfSense filterlog[7432]: 4,,,1000000103,bridge0,match,block,in,4,0x0,,1,49402,0,DF,17,udp,691,192.168.1.18,239.255.255.251,37810,37810,671
May 13 14:00:00 pfSense filterlog[7432]: 4,,,1000000103,bridge0,match,block,in,4,0x0,,1,20481,0,DF,17,udp,818,192.168.1.6,239.255.255.251,37810,37810,798

Also pure noise.. Multicast Discovery of DNS Services is that multicast address - why would you need that noise logged or going over you wireguard connection?

@tina where is the site hosted? On the public internet or behind pfsense. If behind pfsense is the site to be viewed by the public? The only way you can filter the /admin would be with a reverse proxy.

If this is hosted on the public internet, pfsense really has nothing to do with that, sure you could proxy it so your users behind pfsense couldn't go to /admin - but anyone else on the internet could. etc..

Prob need a bit more detail to figure out if what you can be done, and if so how, etc.

@iptvcld No problem - happy to help.. The only thing that gets frustrating sometimes, is man just answered the same exact question 3 days ago ;) does nobody know how to search a forum or even browse a few pages of threads... I get it sometimes understanding the search term can be a problem..

But I do not recall such a question, at least not any time recent..

So when you get a chance I would fully test that his works exactly how you want.. I would for example pull the plug on your pppoe connection and make sure your other clients work over your lte connection except for this one client your wanting to block..

@TheWaterbug said in Firewall Rules across IPSec S2S Tunnel into Segmented Network?:

Curiously, if I add a P2 to allow Things at Main to talk to Things at Home, now PCs at Main can talk to Things at Home.

That's not curious, it's just by the design of the pfSense default rules. On IPSec there is a rule to allow any to any. If you don't want this modify the rule and restrict access to fit your needs.

Basic Firewall Configuration Example

Ater upgrade to 24.03 the issue persist. I thought, that if we will use Netgate generic HW, we will not be in troubles, unfortunately it seems, that nobody care. I do not have this issue on homelabs with non Netgate HW. All 7100 are affected by this issue.

@AmitS what device are you running pfsense on, is it a netgate appliance that has switch ports or discrete interfaces? There are some models of pfsense that has switch ports.. The sg2100 is such a model, it has 4 switch ports and 1 wan port.. You can vlan the interfaces on the witch to be in different network, or you can use 2 in 1 network, and the other 2 in 2 different networks, etc.

You can daisy chain switches if you want, depending on your flow patterns that might be fine. Or you might need to do that for location reasons.

I take it you want to segment your different networks?

I have my main core switch if you will in my computer room.. This has 28 ports, then off that switch there is a 10 port switch other side of the house that has 10 ports. Then off that 10 port switch I have a another 8 port switch that is behind my TV..

I have couple of AP that connect to my core switch, and another one that is connected to my 10 port switch in the AV cabinet. The switch behind the 10 has, a nvidia shield the TV connection and a raspberry pi, etc.

How you connect your switches is up to you and what your data flow patterns would be, etc.. Are these switches vlan capable.. If they are then you can pretty much connect any device anywhere you want and put it on any network.. If they are just dumb switches then you could connect 4 different dumb switches to your 4 ports on pfsense and have 4 different networks this way.

Without understanding your flow of data and patterns, what switches your going to use - are they all smart and vlan capable or also some dumb ones?

If you have multiple 25ge devices that you want to talk to each other - I would put them on the same 25ge capable switch, I sure wouldn't want that 25ge running over multiple uplinks to talk to some other switch on the other side of the building - because you now need atleast 25 gig capable switches in the path.. And then your 2 25ge devices could suck up all the other bandwidth and leave nothing for all your other devices that just want to talk to another device on another switch or just get to the internet, etc.

In a setup for an enterprise - all switches would normally home run back to the core or distribution layer.

But in a home or smb that is sometimes not possible or cost prohibitive or skill prohibitive in running the wires, etc. So sometimes you just have to daisy chain everything, or maybe the amount of data that is going to flow over the part of network doesn't make it important.. For example in my setup it was much easier to just run a cable from the av cab to behind the tv.. And put a little switch there, vs running 3 cables all the way back to my core or to the switch in the av cab. (which would of meant getting a bigger switch for there) etc.. And the tv and pi only have 100mbps connection and while the shield does have a gig interface, it never moves any serious amount of data.. So the shared 1 gig uplink from that switch is more than adequate for the amount of data flow over that connection.

You need to understand what is going to talk to what, and what sort of data rate, how often, etc. For example - just recently setup a NVR and video cameras - while their 4k video streams are not huge amounts of data, there are 3 of them.. constantly sending traffic to the NVR.. It would be stupid to run that data over network path that other data is going to flow over. The nvr has its own poe switch, this nvr connects to my switch in the av cab, and the cameras connect to the nvr on an isolated network behind the nvr.

More than happy to discuss this sort of thing.. If you put together a drawing of where devices are going to be, and what is going to talk at what speeds we can discuss how best to connect it all to optimize the available bandwidth to everything.

@GPz1100 I don't know a direct answer to your question, but I would arrange the rules in order and not try to do that with aliases.

You can use Alias Native instead of Deny Both which only creates an alias, and does not create rules. Then you can create your own rules in whatever order you want.

Quick is on by default for all rules except floating rules. It just means, first match wins.
https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html#quick

@viragomann said in OpenVPN interface rules not applied to CARP master IP:

E.g. if you try to access any IP of the backup outside of the own subnet from a LAN device, the packet is routed to the LAN CARP VIP, since this is the default gateway, i.e. the packet goes to the maser node and is then routed out on the interface, which is in the destination network.

Yes, I was referring to the fact that in that case the secondary node sees the traffic as coming from the primary node IP on its same LAN, since is natted, and there is not a block rule in place to access the secondary management IP from the primary management IP.

E.g. traffic directed to the secondary IP comes from the VPN subnet to the tunnel gateway on the primary node, is evaluated against a block rule to filter traffic directed toward "self", but the secondary IP is not "self" for the primary, so it pass and is routed out on the management subnet, natted with the IP of the primary node. There, the secondary would block traffic coming to its IP from outside the management subnet (there is a rule in place), but it appears as coming from the primary IP.

There are more than 50 subnets on this firewalls and quite a bit of rules, so sometimes it takes me a while to get my head around it.

Anyway, thanks for the help. Sometimes all you need is someone with a fresh mind to get you back on the right path.