@KNG-Taco netsh: Command not found. Do you have more info ?

@pfuser23984 said in CPU 100%, unbound and dhcpd restarting whenever the filter reloads: Just don't automatically discount the NIC, though. As mentioned, the Realtek devices can work okay and then start to get flaky when traffic loads increase. Lots of Google search results detailing that. When you installed the latest kmod driver, did you follow the steps outlined in this post: https://forum.netgate.com/topic/160529/realtek-nic-and-watchdog-timeout/13? SOMMOMMA!@##@!! That did it. I am used to linux where loading kernel drivers is easy to do and easy to verify. I did ithe install with pkg install realtek-re-kmod and rebooted... but the echo 'if_re_load="YES"' >> /boot/loader.conf.local was needed to load the new driver. Not really an intuitive process. I ran through my tests, and the problem is gone now. I've even restored gateway monitoring, patches and watchdog. The rc.newwanip still does its thing, but the re1 NIC no longer flaps, the dhcpd / unbound services no longer crash, the CPU no longer spikes making the system unusable until php-fpm is restarted. Thank you so much. Glad that fixed it for you .

@SteveITS Hello Stevel, thanks for your comment. I have been get it working. Did port forwarding like you advised.

yeah it could be clearer in the GUI. But basically Type 3 covers all the subtype's codes the OP mentions, including re: fragmentation. More info on the subtypes can be found online but the IANA site has a very good page on it: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

@CatSpecial202 said in Interface Groups and dns redirect: What makes individual rules per interface easier to troubleshoot? because your looking in 1 place for all the rules that could effect traffic coming into this interface, vs looking at groups, is this interface in that group? Is the group rule correct for the source IP into specific interface? etc.. But hey you do you.. Doing this since there were firewall, before actually - when they were just packet filters.. And seeing all the rules in one place in the specific order they are applied is easier ;)

@michmoor said in *Allow* IOS Facetime/iMessage Home Network: Why would anyone need to create firewall rules for IoT device(s) ? If you need to ask...

@johnpoz said in Firewall rules for Guests network on IPv6?: You want a simple solution - don't give your guests an IPv6 address ;) For a simple solution, look at my post of my guest WiFi rules.

@CatSpecial202 No. If you do not have any rules then everything is denied by default. Once you start adding rules then the top rule is parsed first. block block block then "allow all" that does not violate the block rule(s) above it. Anything not expressly stated by the rules above then hit the default deny rule.

@Wylbur Sorry I replied to the wrong person. But I think you were also having a similar problem.

@dark-baritone said in Alias Entries Are Not Being Added To The Tables (Even Hardcoded IPs): I searched and it looks like it's already being tracked: https://redmine.pfsense.org/issues/15708 Ha! That's probably where I ran across the mention of a FreeBSD limit . I didn't recall where I had seen that, but it probably was that Redmine ticket. Getting old and so easily forgetting stuff is such a pain in the rear --

@Zululander said in Can't block IPs - must be missing something: Reading online I could apparently achieve same subnet blocking if I used pFsense in Bridge mode but VLANning seems to make more sense to me. Generally the use of bridges should be avoided if at all possible. They can introduce other weird issues besides being a bit of a CPU burden in high traffic conditions. A dedicated Ethernet switch can do the job much better. Use VLANs or some other dedicated interface port on the firewall if you want to segregate traffic.

@jimp Hi Jimp, I didn't post previous screen for security reasons, entries were present ;) In any case, I tried your command for multiple grep matches and it works! Thank you a lot! Have a nice day. Giuseppe [image: 1736779852757-78ba2865-93fc-4e26-9605-e8e244f76a15-image.png]

@mrfibreoptic I am sorry for replying to a quite old thread, not even sure how I got here. But I am a "historian" and can demystify ancient fables. (if you read cursive, the national archives has a job for you). I'd like to provide at least 1 solution that will solve this for people, so the thread is not a dead end. This is a common situation that companies run into. They create a local domain called "AnyRandomCompany.com" and join all of their local computers to that domain and then later purchase the public domain which has the same name for their customers/public to access their web site. Alot of times, the routing will work where they can access the External IP address that the public DNS records are pointing to, but in many other cases (depending on the router/firewall) they cannot. If you find yourself in this situation, the best solution is to run your own Internal DNS server or forwarder. A dedicated DNS server (such as PiHole) can have Static DNS entries created that will resolve BEFORE asking the public DNS servers. You can create the Internal DNS A record using the Internal (rather than the External/NAT) IP address. Many Routers (some people call them Access Points/Modems) also have this capability. Some will call it DNS Forwarder others DNS Records. Some may even call them "Forward lookup zones". The key is to create a local DNS record that your internal hosts can resolve locally while the public DNS records are stored on public DNS servers. If you only have a single computer or two on your network that need to use the private IP address (not the public one) then you can also modify your hosts file and add an entry for "123.123.123.123 AnyRandomCompany.com" Hope this helps a few people in the future.

Could it be set flags SYN ACK ? and or state type keep or sloppy ?

@sfsdfsdfsdf said in Allow Connections to Linux Update Servers: Is there a way to allow a Domain in PfSense ? you can create an alias with the fqdn you want to allow, those are updated like every 5 minutes.. You can run into a problem sometimes when/if the clients and this list are not in sync and client tries to talk to a different iP then what is in the alias - more likely if the client doesn't use pfsense as its dns, etc. But normally that should work. While the IPs might change around a bit, ie round robin sort of thing.. They most likely don't really change and you could point to just 1 or a few of those IPs.. You could create your host override records in pfsense for specific fqdn you use to get your updates, so clients would always go to one of those IPs and you can allow those.

@Gertjan @johnpoz Greetings, I appreciate both of you! My FQDN wasn't matching, that's all. I briefly got a DNS rebind error, but added the domain to the Alternate Hostnames list. So far, everything is working! Thanks so much!

@Gertjan thanks for the reply!