@steveits said in Traffic not matching floating rule: Check Status/Queues to make sure the traffic isn't actually in the queue and the state counter just isn't counting up. Check Diagnostics/States and see if the state is matching your source. For instance in order to lower priority on a download the state may be to the webserver:443 and the return traffic matches the state but not the rule. (so, doesn't seem to count up the counter...) Is low_priority_src a LAN IP behind NAT? If so it can't match, see https://docs.netgate.com/pfsense/en/latest/trafficshaper/advanced.html#shaper-rule-matching-tips for info on tagging it. Brilliant, thanks so much for the hint/info on tagging!

(bump) Someone?

@slkamath Can someone help me to solve this issue? Lokesh Kamath

@ttime said in Help me understand what this means in firewall and why: Thank you for recommending that. I created a rule to block same traffic in the lan to destination 224.0.0.18 and the logging stopped. Hi, As I mentioned, this is a useful thing in your system... (in fact, I’ll go further.... mandatory, if you work with Cisco Mobility stuff) You will not be able to use this for debugging after this... It’s worth banning things that really bother you... It all tastes and slaps are different BTW: if you have limited "log" storage space, do not lock down the number of rows forever +++edit: That was not the solution

I was able to access the GUI from the 30 network only on my mobile phone. With the W10PC connected to the 30 network, it experienced the same timeout symptoms as on 20. This is the first time the W10PC has been able to access the GUI from anything other than the LAN 10 network and plugged directly in the physical LAN port. Thanks for the help and giving me things to check. Hopefully it will work from now on. If the problem comes back, I'll try to replicate the issue, and report back the root cause if possible.

If you ever question your rules - just post them up.. Always happy to express my opinion on rule sets ;)

@hieroglyph Now I understand how pfsense firewall rules works, thanks for the explanation. This topic can closed now.

@tinz Some devices will not respond to traffic form a different VLAN. Not sure if this is the case. To get those devices to respond you would need an Outbound-NAT rule to make it appear to that device it is talking to the igb3_address. Outboud NAT Rule: Interface: igb3 Address Family: IPv4 Protocol: Any Source: Network igbx_group (or igb1 and repeat for others) Destination: Network igb3 Address: Interface Address Outboud-NAT to igb3 network

@dicmo I'm sorry we didn't get that last bit working. At this point I'm out of ideas but am fairly certain that this is not a pfsense issue. My gut sense says it's some setting in the router itself that is denying access to the GUI on the bridged port. But I'm glad you have a workaround if you need it. If you do figure it out some day please post the solution. I's love to know what it was. I appreciate your thanks. It was a lot of fun getting you to where you are now. Seven years ago or so when I started using pfsense I really had no idea of networking. I've pretty much learned all of what I know through this forum. It's really a great community and I take pleasure in giving back to it when I can.

@elrick75 said in How to allow WAN connexion monitoring ?: I want to monitor the status of my internet connection. I would like to use the UpTimeRobot service Hi, This is definitely a security risk in my reading, because it is a third party service. We do not open a port on a firewall only when it is very necessary Your PING theory is correct I would do something like this to keep control in my hands: The first step is an external VPS, I use this because it is problem free for the purpose (price / value ratio is the best): https://www.ssdnodes.com/pricing/ Then, I suggest this step by step, this solution know more than which you want to achieve: https://forum.netgate.com/topic/154957/integrating-pfsense-with-kibana/3?_=1616681039265 https://forum.netgate.com/topic/152132/grafana-dashboard-using-telegraf-with-additional-plugins https://github.com/VictorRobellini/pfSense-Dashboard This way you can monitor a lot of parameters and send as many notifications (ALARM) to yourself as you are not ashamed of. +++edit: Yeah and in that case only you will know when you are UP. Because by the way, for this (your WAN(s) UP state + ISP IP + ports + https) no one has anything to do with it...

After some further testing, I discovered that the Timeout is actually working, in that it blocks further traffic on the connection after 300 seconds has passed. However, there is no FIN or RSET sent when this happens, I just see TCP Retransmission attempts for the next packet that is sent after the connection is blocked. Is there any way to get pfSense to send a TCP RSET after the 300 second timeout occurs??

@janiboy said in SIP Not Working Behind Pfsense: i got this on my side, my panasonic NS300 ip 192.168.1.102 , my WAN is 10.200.94.182. Please note that even if your "Wan is 10.200.94.182" , that is not your public ip address (aka the ip address you are seen with on the internet). Somewhere between your "Wan" and the internet someone is Natting your 10.200.94.182 , to a non RFC1918 ip address. You could (from a browser behind your WAN) , go to this site : https://www.myip.com/ And it will show what IP you currently are seen as on the internet. That would also be the ip address that external sip devices (phones/servers) should reply to. /Bingo

It it working fine here so no general problem in 2.5.

@johnpoz: I have a 75/75 for $90/mo, and I just measured 65/72. When the “pandemic” started they took speed caps off for all customers without charging any extra, until the 2020 spring semester ended and did that again starting in the late fall. I saw speeds in the 400s both up and down. Alas, they are back to normal. Where it would matter would be, if I had the desire to achieve LAN-like speeds between sites, for file server access. I don’t really have such applications. I do do cloud backups, but those are bottlenecked at the server end, anyway. Should the need for higher throughput arise, I would love to be able to borrow an SG-2100 or SG-3100 to see, whether those would improve it. Not sure, whether Netgate could accommodate that.

Are there any security settings on the Cox modem that can be disabled?