@flat4 said in Why PfSense blocks sites on computers put Not on cell phones?:

turn on airplane mode

Which turns off all the radios : bleutooth, Wifi, Cell, NFC etc etc.
Wouldn't that block everything ?

@cobca said in Why PfSense blocks sites on computers put Not on cell phones?:

blocks sites on computers put Not on cell phones?

Easy to check.
Select the SSID you connected to. You'll find your IP, the gateway (pfSense) and ..... (roll the drumes) : the DNS used. If its not pfSense, that it isn't using pfSense, so pfBlocker never 'sees' these request.
And be aware : programs, like browers on computers and cell phones can use the system's DNS (the one you just saw) or use their OWN DNS settings. So : check these to ^^

@maltepk
You didn't even add a rule to allow this?
pfSense is a firewall! 🙄

@bars0um It’s a bad one yeah, but there was a patch via System Patches IIRC, and a few releases since then.

@youngy said in NTP: a Windows PC can't get time from pfSense. Other devices are okay.:

Lesson learnt.

I would prob actually validate time sync is going to where you want, either directly pointing to pfsense which is always prob the best idea vs redirect. And working, or via your redirect.

I had some stupid iot devices (wifi light bulbs) that were pointing to pool address, not even in my country.. had some using uk.pool.ntp.org, which makes zero sense because they were bought in the states.. Someone messed up and didn't alter the code for regions they were going to be sold, etc..

So I just set a host override to point uk.pool.ntp.org to my ntp server.

A sniff (packet capture) for ntp will give great info that clients who clients are asking, and if being redirected, etc. you should see the client query and then response.

@JustinSims Here is the bug report.

https://redmine.pfsense.org/issues/15924

@kilasin said in Cannot Open Ports:

i live in the woods pretty much so no other choice with Starlink

They got you covered 😊
.... and use the same approach as many ISP did in the past.
You want a WAN IP that you can reach from the Internet, so you can NAT addresses and ports.
As IPv4 is a very expensive resource these days, your wallet will be the solution.

Look here :

starlink static WAN IP ?

A little bit lower on the page I saw :

dff9dab2-6cd5-4b02-8288-ebddff655cb8-image.png

So ... go "Business" would be a solution....

@Gertjan said in Unknown connection:

You use a pfSense. You're good.
No traffic (that you don't want to) can come into WAN, whatever the source is. So, RFC1918, or something else, you don't care.

Yea, I'm in love with pfSense, are you?

@SteveITS @kiokoman Just wanted to thank you for all of your help. Everything is working as planned and I have a better understanding of how this works and how to troubleshoot. I am sure we will cross paths again and look forward to future insights.

@johnpoz Ok, thanks.

@johnpoz said in Deny outgoing traffic ipv6 for one device/phone:

then not using IPv6 is a very simple solution..

Not using IPv6 is a broken "solution". IPv4 has been inadequate since the day it became necessary to use NAT to get around the address shortage. The world should get off it's butt and move to IPv6, instead of the hack on hack that IPv4 requires. As for 1 application that requires IPv6, take a look at your cell phone. IPv6 is mandatory for 4G & 5G cell networks, as they use VoIP and using IPv4 and all the horseshit it requires would create an unworkable mess. Comcast also moved to IPv6 years ago, because their network was getting too large to manage with IPv4.

I would question the competence of any network professional that thinks IPv4 is good enough.

@SteveITS said in Sanity check for basic firewall rules:

@gld said in Sanity check for basic firewall rules:

rules for the OPTX interface (which are not associated with the firewall)

Then what is it? I'm a bit confused. OPT1/2/3/etc are the default names when adding more interfaces than WAN and LAN. Which some models call PORT1WAN for example. The documentation just assumes you've added OPT1 and need to configure it. You can name it anything, like DMZ or MYLAB.

"OPT1 subnets" would be any subnet assigned to the OPT1 interface.

I was using, as an example, the example in the documentation you referenced. The table in the documentation has the title, "Example firewall rules for isolated LAN type segment". Yes I understand everything you say here.

If you don't have a pass rule for IPV6 then that traffic is not allowed. Each interface has a default block rule.

My understanding is that to allow a subnet get out on the Internet with a IPv6 address there must be an IPv6 pass rule.

If the IPv6 addresses are automatically assigned then no you don't know the IPv6 subnets so using the aliases is probably better than creating your own aliases and having the IPv6 subnets change on you later. "PrivateNets" can be all RFC1918 subnets because those are known.

IPv6 is much easier if you let it be automatic. Add it to WAN, set a prefix delegation request large enough (/57, /60, depends on what your ISP allows) and set the internal interface to Track Interface. Then pfSense will get an IPv6 for WAN, and assign a unique block for the internal interface.

Yes. I was able to get this to work. I eventually got multiple subnets assigned IPv6 addresses. For them to get out to the Internet I had to add a IPv6 pass rule. After that the firewall rules similar to the documentation example you cited and I copied earlier failed to isolate traffic between the subnets I was trying to keep isolated.

I very well might have some significant misunderstandings about IPv6. I will probably take another run at that sometime in the future. For now I'm good.

@bmeeks

Thank you so much for such detailed explanation. It make sense why all my trials went in vain…

I will not overload the hardware with additional software that may or may not work.

For all of our web faced servers, they are behind a load balancers, and it make sense to use the load balancers to kill such traffic…

Appreciate your help so much

Happy thanksgiving to you, family and all pfSense users ☺️

@NogBadTheBad

made sense, so I tried it, didn't solve the problem, but finally lead me to bump the max table entries under System > Advanced, Firewall/NAT tab which solved the problem.

Thank yo very much.

@killmasta93
well freeradius is built in to pfsense, to me it makes sense to take advantage of already existing service. No I think there are two processes the DHCP will hand out an I{P and then the validation via the radius server would follow.

@Gamienator-0 High traffic web sites or content delivery networks will often rotate IP addresses sometimes every minute. That one has a very short TTL:

download.proxmox.com. 61 IN CNAME download.cdn.proxmox.com.
download.cdn.proxmox.com. 12 IN CNAME us.na.cdn.proxmox.com.
us.na.cdn.proxmox.com. 12 IN CNAME na.cdn.proxmox.com.
na.cdn.proxmox.com. 59 IN A 66.70.154.82

pfSense looks up the IP every 5 minutes by default. There will always be a chance the DNS lookup is not the same IP every time you check it, even if it is a few seconds later.

The pfBlocker package can create aliases from ASNs which are basically IP blocks you can look up by company name.