[image: 1616041445822-screen-shot-2021-03-17-at-21.23.53.png] When using floating rules the source of the traffic is after NAT though. :)

@johnpoz said in disappearing pings: I would take it as a win that you figured out what was going on... Yes, thanks to you and Stewart to pointing me in the right direction. I certainly learned some useful things along the way too. I do have to say that this virusprot arrangement feels like a violation of the law of least surprise. I see now that it is documented but I guess I thought i understood rate limiting well enough to skip the fine print. Oh well.

@smaxwell2 said in IPv6 Firewall Rules: So I have around 40x VLANS on pfSense. 40???? Why so many? Are you trying to do something that might be better done another way?

firewall self is all IPs on the firewall, lan, opt x, opt Y, etc.. lan net is just that whatever the lan net is 192.168.1.0/24 - or 192.168.2.0/24 - what did you make the lan net.. Network is just any network you put in..

@gertjan Thanks its done If any one having this issue you can refer to this thread and get your issue resolved. So far its working as I expected I also added public dns server from Feed . Regards

@alex71 said in Block all streaming audio/video with pfsense: I need to stop stream sites (twitch.tv and others) in the morning!! Because they offer bad quality only in the morning ? ( edit : I guess I do not understand the question )

@aamircomputerprogrammer Maybe. Test it

@mdwarf Your 1:1 NAT rule forwards the traffic to the pfSense LAN address, but it should be forwarded to the LAN gateway.

Figured it out, I had the source interface reversed.

@cubiche https://forum.netgate.com/topic/161768/deny-opt1-wifi-to-lan/5?_=1615232404097

@theskelly If available, enable and configure DHCP snooping. Don't forget to enable the static entries to bypass (generally prefer to trust a MAC over a port, in case something else ends up on the port). This combined with ip arp inspection can significantly reduce noise and coerce clients to operate correctly. If that network exists anywhere in your environment, you might have something acting as a logical bridge between VLANs. You might opt to end the rule set for the interface as (especially for 'untrusted' segments): pass from <interface network> to <appropriate destination/s> block log from any to any May seem a bit strict but ensures that only accepted sources transit the firewall's interface, inbound. Making sure that any earlier rules don't allow bypass.

Turns out I need to "sudo" with my dedicated user for the command to work. Like this sudo easyrule block lan 192.168.1.21

@oilahkestrada [image: 1615146743127-states.jpg]

@tomekk Pls. describe the settings of the two interfaces... (with PRTSC or whatever) default rules do not exist between LAN and OPT1 ....... x interfaces just watch this: [image: 1615047854931-06439ebe-3203-40fb-bdff-7265d32b1549-image.png] [image: 1615047881513-a0ea96ad-f37c-4c9a-8d70-c81b17ba023e-image.png] [image: 1615047896000-51f377d6-9fe6-4d9e-81a4-0fe4a6f77c29-image.png]