@lindhe said in Failing to add URL alias with mixed IPv4 and IPv6 addresses: Or, no not quite the same. Adding two lists of IPv4 urls works now. But nested aliases still fail. I guess that I can now use a reasonable work-around by creating a mixed (unnested) alias instead. But it's overflowing the text box, so I don't know how to verify that all addresses are in the alias now. How can I verify that the alias is correct? [image: 1618153864638-screenshot-from-2021-04-11-17-09-08.png] Redmine issue created: https://redmine.pfsense.org/issues/11863

@gtid After watching that YT I assume this web server is not meant to be accessed directly. It rather establishes an outbound connection to the Synco IC and you can use any device with a web browser to connect to the Synco IC server which provides a WebGUI for you to control your device. So you will only have to enable DNS access for the web server and outbound connection, presumably HTTPS.

@NZ : I have a dyndns - it exists - that I used to contact my NAS : dig brit.test-domaine.fr +short 82.127.34.254 I used this host name with an App in my phone. I can now access my device from everywhere on the planet. The host name always to my WAN IP - there is a NAT rule etc etc. When I connect my phone to a local Wifi, an access point n my LAN, my App still works. My App still uses "brit.test-domaine.fr". But, because I have control (I admin my pfSense) I can create a host over ride on the Resolver config page, under Host Overrides :: [image: 1619439464302-b035b89f-ab73-41ec-afd3-9c4d297fc66b-image.png] Test on pfSense :: [2.5.1-RELEASE][root@pfsense.my-network.net]/root: dig brit.test-domaine.fr +short 192.168.1.33 and that's correct : my NAS has 192.168.1.33. So, except for the NAT rule for outside access, no other firewall rules are needed. For the inside access : a Host Override does the job.

@steveits 1 WAN, but i do route out some hosts over VPN links

@johnpoz My knowledge doesn't go far enough to explain why. I had a friend of mine, that is speciaised in setting up networks with Dante, NDI, etc and that's what he came up with. Since it seems to work fine; I will leave it like this. Although I would like to understand more about this subject, I will have to do some reading first, since my knowledge clearly doesn't go far enough for these types of setup. Thank's again for the help!

Sigh... I figured it out. The DNS Resolver does not automatically update when a new interface is added, dunno that it should. I re-added the rule, identical to the pre-existing ones for my LAN and WIFI, about DNS. Then, I updated the list of network interfaces for the DNS Resolver to include the newly minted VLAN/AP. The phone can now browse the internet, and I've connected my first Wyze v3 phone.

@leao-adilson you are welcome

@johnpoz said in No access to Zoom meetings: Is your prefix changing? You say other things are working, like testipv6, etc. Are other ipv6 sites loading? Can you reconnect to the zoom call? If pfsense sends on the ipv6 traffic that your trying to send, and you get no response - or for whatever reason the other end doesn't like it. Not a pfsense thing. Yes, a random selection of IPv6 sites work just fine plus ipv6.google.com. Prefix is 64, which is supposed to be best for Comcast, but 60 works exactly the same. Prefix doesn't change unless I request it on pfSense. Comcast uses dhcpv6 not SLAAC by the way. Interestingly I connected on my iPhone with WiFi off, the reenabled WiFi and turned of Cell data and the Zoom call stayed up. I could not reconnect if I left. I can't turn off only IPv6 from an iPhone, but I can from a MacOS 11.2.3 MacBook with "networksetup -setv6off Wi-Fi". Forced to use IPv4 Zoom works fine. My cell provider hands out an IPv6 address too, which tests as good, so I know it's only when trying to put IPv6 through the pfSense box. I can try connecting a MacBook directly to the Cable Modem, but I highly doubt Comcast has an adaptive filter running. That's one of the reasons I'm running pfSense in the first place. SOMETHING is getting mangled/blocked in Zoom's rendezvous process when it goes though pfSense's IPv6 stack. The fact that it works for a short time after reboot suggest something like pfBlocker, but I can't find any evidence of that. Zoom's connection process at a high level is documented here: link text Any other ideas, I'm out?

You can force things : Diagnostics > States > Reset States Check the box and hit the button. Btw : you'll see that you will be thrown out of pfSense and that you have to re logon.

What comes to my mind would be to remove any allow rules. Then look here MS Info on Teams. Make the appropriate aliases from the info there, what needs to be open for TEAMS, then create allow rules.

After some online searching, I found this: https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#troubleshooting-blocked-log-entries-for-legitimate-connection-packets Looks exactly like the "problem" that I'm having, but it seems to be "normal behaviour"... I've added a default block all ipv4 rule, just after the allow all rule, without logging, to check if these will now not be logged any more... [image: 1618648274396-block.png]

@kom I see. Good point. Thank you.

@tgimagine Where are you testing from? If LAN then pfSense is not involved since inter-LAN traffic goes direct from client to server. If WAN then you need to define a NAT port-forward that forwards the traffic from WAN to LAN.

@iroal The latest update to 21.02.2 seems to have fixed the port forwarding issue, so that might be something to try. Here's the bug fix link. I still have an issue with outbound packets going out the wrong WAN port though. I suspect that was what was happening all along now. Packets would come in WAN1 and be returned out WAN0 so it looked like they were being blocked by the firewall, but really they were just lost because I was looking in the wrong spot for them. I haven't figured out how to fix that yet.

@viragomann In my rules I also allowed for my IPv6 prefix. I have a /56 prefix and one rule blocks it, as well as all ULA addresses, which where included in my Private alias.

@bhjitsense Possibly a check mark here: System > Advanced > Miscellaneous > Do not create rules when gateway is down