@nabeel-0 Hi, A default pfSense doesn't block any site. Try it for yourself : goto the console menu and use option 4. You already proofed that the issue isn't upstream. Can you resolve domain names like aliexpress.com on your PC/phone ? Did you change DNS settings ? I can visit both sites without issues.

@logboss Add a host override to DNS so that the fqdn resolves to 127.0.0.1 or something.

@bob-dig Damn, I totally missed that dialogue for some reason. Thanks!

@viktor_g said in Unable to block VPN apps?: @dxplorer11 said in Unable to block VPN apps?: I noticed that If any smartphone use VPN apps, it bypasses any firewall rules and all dns settings set by the pfsense router. Ive forced all the clients in my LAN to use the PfSense DNS settings that are actually pointing to my windows server dns, but if they use a vpn app on their devices, it completely bypasses the router. You could try to block VPN with Snort/Suricata or pfBlockerNG IP VPN feed If users using NewNode VPN, both methods not a solution. Slowly we all goes to stay when blocking VPNs become impossible, because slowly all connections become to “VPN by design”. And billions of investments just push all industry forward to this stay.

@mattb765 Remember this one : [image: 1627376540174-ae683786-af43-45a3-983e-2d57fca47627-image.png] ? When not checked, it creates a firewall rule on the LAN interface that permits access from the LAN to the pfSense GUI (and SSH access). [image: 1627376641370-9aa96b97-edf0-49dc-bf15-fc182eac75d8-image.png] This resembles your firewall rule on your OPT1 interface. But, be careful, this only passes IPv4 TCP traffic to port 443. You are using the https (not http) on port 443 ? Is the IP on your device that you are using somewhere in the OPT1 network ? Did you activate the DHCP server on the OPT1 interface ? Assign an static IPv4 network on the OPT1 interface ? And what about DNS traffic ? It will hit the default (hidden) block rule as you do not permit UDP traffic to port 53 of the OPT1 interface (pfSense). You'll be complaining that "Internet" doesn't works very soon ^^ edit : As soon as I placed a rule like this on top of an interface (LAN for me) : [image: 1627395247610-6db53e81-4980-4740-af7d-959616993aa1-image.png] the states counter started to raise ( the "1/443 KiB in the image) I had to shut down the browser, and reopen it to re engage new firewall states, so the first rule would 'intercept' and pass the traffic. Btw : I also had to add IPv6 as my browsers 'know' that my pfSense also speaks IPv6, as it is the default protocol on my LAN type networks. When I left out IPv6, my browser was unable to connect to the GUI ... strange, as it should fall back to IPv4 after some time.

@jknott said in GRC closed instead of stealth ports?: I don't worry if my address becomes known. I just don't go out of my way to advertise it. Exactly..

yeah the default udp port is 1194, this could quite often be blocked from where your at... 443 never going to be blocked if internet is open. even they are forcing traffic through a proxy you can still get your vpn connection over the proxy on 443. udp is normally a best choice for the vpn - but hey if it doesn't work tcp over 443 is pretty much guaranteed to work - even if not optimal connection, etc. You can run both, I run a tcp 443 instance along with a 1194 udp instance.

@sipriuspt I've created an alias from this source almost a year ago and it still works well. Don't think that the IPs changes as often. But they also provide a download link to a JSON file on the page. You can write a simple scrip, that pulls the file daily and generate a networks list from it and put the list on a web server. Then you can pfSense let it pull down by an URL alias. Possilby someone had already done that and provide it in the internet for public download.

@viragomann Ok.. found out the issue. Its something that I didn't know existed in Windows but I'm new to VLANs. Apparently, some security reason I guess, windows firewall will not accept IMCP packets from devices on different subnets. I finally after much headache found the below link. The thing that threw me is that one of my linux machines was responding to pings on different subnets but others were not, so I thought there was a problem. in the end, no problem, other than my ignorance. Solved: VLANs and Windows Accepting Pings from Different Subents

@kalachev or you do it via the system patches package - that's what it is for ;)

Hard to say what might be happening if none of those are relevant. If the state deletes are coming over pfsync then you could see them by doing something like tcpdump -vvvnei <interface where pfsync traffic goes> proto 240, but there can be a ton of data there so may be hard to narrow down. That could at least tell you which node is deleting the state though since the delete will either go primary -> secondary (in which case it was deleted locally) or secondary -> primary (in which case the secondary deleted it). But trying to match up the IDs and find the relevant state among the data may still be tricky.

@leonroy said in Can't create IPv4+IPv6 Firewall rule with an alias: What I ended up doing was sticking my PiHole IP address in an Alias as well and setting that as the Source alias. Not sure if that's the best way of doing it but it worked... If your PiHole should answer IPv6 and work with IPv6 it needs an IPv6 address. Without that makes no sense, then you can simply block all IPv6 alltogether. If your Pi has IPv4 and IPv6 then that's the right way, put both into the alias and use it in rules. That said I wouldn't work with invert rules but that's my approach.

@gwaitsi said in Signal App Ports - problem with receiving: I seem to be missing something in the firewall setup for Signal. Nothing is needed to make such an app working. Whatapp, Telegram, Signal, they all work the same. pfSense, by default behaves as a classic ISP router : the default LAN firewall rule works, as it permits all outgoing connections. I advise you to install https://signal.org/fr/download/, the PC version. Now, wire up your PC to the LAN of pfSense. This test will exclude Wifi usage and Wifi issues. Run the app, on your PC, you should be reachable.

@viragomann I had quick on before and it still didn't work. I've changed since other things since then too, so I'll give quick another shot and see if it works. Thanks

It suddenly starting working after changing the port being forwarded, which is not the first time that I change it. It never worked before and suddenly it does, with no changes to rules other than that port. I am dumbfounded. Could somehow all these ports conflicted with some already used source ports for outbound connections? This is on wireguard which is quite new, I'll have to retest on openvpn. I understand that they will forward a port to the latest client to connect to their vpn for openvpn and nobody else is using it as far as I am aware. I'll have to keep an eye on it. Edit: This is on version 2.5.2 CE.

@rjp1267 said in Why am I seeing Softbank in my DHCP list: outside or scanning. WiFi passphrases can be cracked, And you think spoofing a mac can not :) hehehe Can tell you one thing breaking my psk going to be the harder part then some mac address spoof ;) Blocking youtube is a bit different than static arp ;)

For reference, here's the MS document that assisted me: https://docs.microsoft.com/en-us/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics Dan