@athish system logs Dec 11 03:59:13 kernel arpresolve: can't allocate llinfo for 192.168.10.1 on rl0 Dec 11 03:59:14 kernel arpresolve: can't allocate llinfo for 192.168.10.1 on rl0 Dec 11 03:59:14 kernel arpresolve: can't allocate llinfo for 192.168.10.1 on rl0

Thanks

Not gettin into much detail cuz lack of time Mention udp / TCP on your rule settings for your ports

@linu said in Block SCP but allow SSH: @viragomann Can we achieve this by blocking FTP traffic? No, FTP uses a different port. You cannot do this on pfSense with filter rules. Possibly it is doable with the HAproxy package. The PF filter works based on protocol, source and destionation IPs and ports. But SCP uses port 22 likewise as SSH. So there is no possibility to distinguish the connection type for the packet filter.

@b_chris said in [solved] Allow rule not working?!: 2* TCP:FA, 8* TCP:FPA. Yeah that would be normal - when the client tries use a session, and the state is closed.. Then it would try and close it via FIN.. I would expect, if it doesn't get an answer to its FIN, that at some point it would send a RST.. Basically saying ok, not sure if your getting my FINs - but I am done with this connection - so if you happen to get this RST you can close the connection ;) Here is quick image found showing open and close of a tcp connection. You quite often see the FIN,ACK together.. Seems this image also has a typo of massage vs message ;) But it gets the idea across of how a connection is opened, and then closed.. [image: 1628610202570-tcp.jpg]

I figured out, that my problem seams to be a different one. I opened a separate topic to avoid confusion: https://forum.netgate.com/topic/165738/allow-rule-not-working

Welp, I have no idea what is going on. I shored up the setup a bit more. AP has MGT for VLAN 10, same as Home SSID which Shield is connected. IOT is VL-110. Switch trunk is correct and enforced. Shield is switched to static address. Computer ipconfig looks correct. I restarted computer & shield. The shield (.137) is the only device this occurs on. I turned off firewalls on desktop. Switch is just simple L2. (Mikrotik running SWOS, CRS328-24p-4s+rm) I looked at switch mac table and it shows only the devices in question on the correct ports. @johnpoz said in Another default deny rule same subnet/network/vlan being blocked: edit: Check your .137 arp table - validate it shows the correct mac for .89 client.. If for whatever reason it had pfsense mac - then pfsense would see the traffic. But this might be hard on a nvidia shield device.. Had you recently changed masks on the network? Or added this network, I have shield I could look at to see what kind of info you can glean from it for info about its mask, etc. But again - pfsense should never see this traffic in the first place - you need to figure out why it is to correct the problem.. I'll need to look up how to see arp table on the android shield. I did look through network settings and it didn't show a mask when DHCP. When I set it to static I was able to specify /24 and gateway. It is a brand new setup; took out UDM to replace with pfSense, switch, & AP. Really weird thing is the darn thing works. Plex works, other apps work. It's spewing out messages to the wrong mac, but it's still working...?

That is not needed unless your accessing a ftp via active... Ftp is dead, should of been 10 years ago..

@zzoro said in Pfsense on Proxmox: No traffic on LAN / Only seeing 224.x.x.x traffic on WAN: topology: Modem > Router > Pfsense on Proxmox pfsense is a router / fire wall. Why have you put it behind another router? The modem at the front, is that another router? While is possible to have a double NAT doing so complicates the system. Have you configured pfsense to blocked LAN addresses on your WAN? Doing so would block internet connection to pfsense given your topology.

@infotipp Did you add firewall rules to the bridged interfaces to allow traffic flow?

@johnpoz I wasn't aware of that alias.

@ludejim said in Rule not matching after upgrade to 2.5.2: I tried to install a fresh 4.5.1, it didn’t want to install any packages Did you set the update version/branch setting to the prior version?

Yeah any smart switch should be able to do vlans - not all entry level smart switches would support stuff like private vlans though..

@wolfhunter1043 Ok, I cannot see any reason, why this should not work. If you access the Ark server from the Internet and your port forwardings and firewall rules are correct (don't know its requirements), you should succeed. That has nothing to do with outbound NAT. Since you might have multiple internal network segments, are you able to acsess the server from another network?

I have added an IPV4 subnet 192.168.102.0/24 using Hetzner panel and when I added resources to that subnet (my server and my pfsense firewall) automatically assigned IP of 102.1 as a gateway ( maybe it is a virtual SW that hetzner create it for further routing between different subnets) for both devices and it was not working fine after I changed the gateway of my server to 102.3 (IP of firewall) now connectivity is OK. and I also put tcpdump on my server but no packet reach my server when I am trying to reach it from the internet but i can ping 102.3 from 102.2 and vice versa. from the internet, my packet reaches 102.3 and was stuck there.

@sipriuspt Google captchas functionality is put in place by an web server admin. Using other words : if you install a captcha on a web server, it needs an access to Google's API. It will not visit other web sites. So, why (firewall) filter connections initiated by a web server itself ?? You - the admin - control the web server. It's not some device with controlled by a a person.

@hammer8 My pleasure

The problem is fixed. I've made ipsec tunnel before and even it wasn't connected to remote side it overlapped my networks.Clicked-turn off-open vpn works fine. [image: 1627904494834-%D1%81%D0%BA%D1%80%D0%B8%D0%BD%D1%88%D0%BE%D1%82-02-08-2021-144020.jpg]

@bob-dig Hi, figured out the issue…states were still open and so the way to implement correctly is to have two rules. One that blocks traffic all the time and a second allow rule above the block which is on a schedule of when internet access is allowed. Thanks everyone!

@viragomann Success! I set the monitoring IP to 8.8.8.8 and the rule is getting hits now and the host is definitely using the VPN for egress. Thank you!