@sahand_it my bad, it turns out that the Access Point was at a faulty state and restarting it resolved the issue...

Version 2.5.1 fixed it

@charlie48 said in Block IoT to access Internet: Next big challenge are my cameras. At least, with these, you know that what the cameras see, is what some one else, where ever he is, also sees. And with the help of an app, even you can see it (better check if it is real time and not a replay ^^) Seriously. You are actually using them ?? cameras == local storage and if needed, shrink wrapped encrypted and stored elsewhere. ( and why not, I dump screen shots on our companies website, works great ) I create an inbound VPN if I need to see cameras on my phone.

@abjan Read this note about the limitations of a hostname alias. It may apply to this situation.

@johnpoz Thanks, that's a shame, maybe they could have a "Donate" button, I always used "negate" routers for VPN's where I used to work. No bull shit, also had a dual wan load balancer at home, that was neat, loved the lights...lol What about... [image: 1617828498578-donationwaremeanspaywhatyouwant_n.gif]

He says this dmz segment is public IP - so he has a routed netblock? Even if he forwarded traffic, or allowed traffic - this wouldn't expose the pfsense IP of this dmz segment. So yeah need to see these wan rules, and also need to know where he is scanning from.. You see it all the time users saying the wan is open - but they are scanning their wan IP from the lan side, etc.

@mrjoli021 said in Port 53 being blocked: I am using one of the DMZ ip's to get natted out to the internet. IPv4 : NAT is useful so devices present in your DMZ can get contacted FROM the Internet. Devices in the DMZ can go out to the Internet at will, only restricted by firewall fules on the DMZ interface. @mrjoli021 said in Port 53 being blocked: I am not able to resolve any DNS names. not sure why. I have created NAT rules manually and selected the virtual IP as the source IP and ip based I have internet access, but cant resolve anything. Looking at the firewall rules, I am seeing port 53 blocked from my DMZ IP. Why do you block 53 (UDP and TCP) traffic with firewall rules ?? Look again the IP's used, and check against your rules. @mrjoli021 said in Port 53 being blocked: but cant resolve anything. What is the IP of the DNS used by devices on your DMZ ? ( Windows => ipconfig /all ) Is traffic allowed to that IP ? If it is the resolver running on pfSense, is it listening go "All" incoming interfaces, or is the "DMZ" listed in the "Network Interfaces" list ? If your are using the resolver, and you are using the ACL list, check again the ACL's attributed. Btw : You started pfSense the first time, you only had a LAN interface. You created other interfaces, like OPT, OPT2 - or, why not, you named it "DMZ". Make sure unbound (resolver) is listing on that interface. Make sure a DHCP is setup to deal out IP's on the interface. Use temporarily the rule you found on LAN (that one works) - just adapt the "Soure IP" info as this is another network. Done : your OPT, OPT2 - or, why not, you named it "DMZ" - works.. NAT rules created afterwards, if, and only if devices present on DMZ need to be contacted by devices from the outside world, the Internet.

I know that this thread is a little old. But seriously now, who is using Viber in 2021?

@bryansocko said in Multicast Windows Media Center: that was a typo, 255.255.224.0 You mean that is the mask? That is not a valid network address space either.. That is a /19 network... Which seems excessively large.. You have some 8000 devices on this network? But doesn't really matter as long as the actual network is valid space.. Maybe if you draw out how you actually have this connected, if your using some sort of extenders? Maybe they are natting? But last time - pfsense has zero to do with traffic on the same network.. unicast, multicast or broadcast pfsense has no way to control that or limit that or manipulate that in any way.. Pfsense is used to get off a network.. So if you have some devices on 192.168.0/19 for example - and they are actually on the same L2 network. And they want to talk to each other directly, or exchange multicast/broadcast traffic - pfsense is not part of the conversation..

@stivlong said in Wireless Vlan Traffic out VPN: I I know it's an old topic but I was also trying to fix the same issue and landed up here. I was checking solution on VPNhelpers but finally I am able to fix the vlan.

thanks for the explanation about Suricata. You were right, if I turn off DNS on VLAN20 (IoT), the communication between harmony and the phone no longer works, so they communicate over the Internet and not the LAN. Thanks!

@johnpoz said in Chatty IoT device on LAN: edit: BTW, just remember that the S in IoT stands for "security" ;) hehehehhe Just another reason to not let my dishwasher talk to my refrigerator.

No any thoughts?

@johnpoz I did take two actions based on your response. The first was to disable all of the floating rules. The second was to update the IGMP poller "IPs" in my switches to "IPs" in the subnet range for those VLAN. According the Netgear's documentation, these are not actually "IPs". They are simply used for the election process, and indeed I cannot ping them and they have no ARP entry. However, this did resolve the issue for the IPV4 floating rules. I still get warnings for the related IPV6 rules, but I do not use IPV6 so I do not worry. Thank you for your feedback. It was very valuable.

@q54e3w Thanks, I added an additional allow rule for port UDP 5353 and it started working again!

@bchan said in TCP:PA not following firewall rule?: the first rule does not catch TCP:PA and TCP:A. No what that means is there no state for those.. If firewall never sees a syn to create a state, or the state gets removed (say a loss of gateway, and you have flush states on that).. etc.. https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html