@captaindarth Yes you are right. Denying outbound what is blocked by dns is an extra level of protection. If you were using eg pihole, then you would hope the client does what pihole instructs (and doesn't try any hardcoded ip's directly) My ip tab looks like this [image: 1611034680474-50c2e796-bda5-4715-9aed-65a9774e3206-image.png] and a test scenario blocking inbound would be like this [image: 1611034802140-0ba34a82-159a-4f79-b66d-7d1ef0028ae7-image.png] And I m not using the automatic rule generation, which puts rules first, which isn't what is required most of the times.

@chris-ett Absolutely. On ipsec, you also have the possibility to"protect" ie allow networks, but thats an ipsec feature only.

Unless you were asked to specifically post in this category, you might do better posting in the specific pfBlocker category, since you're asking about that package... https://forum.netgate.com/category/62/pfblockerng

@bmeeks, thanks a lot. That makes sense.

@johnpoz A warm and friendly reply as usual . It's been answered to my satisfaction now but I appreciate the reply, I won't bore you with the details of my network layout. Thanks anyway.

Hello! The same thing happens if the fqdn points to a local device, which is the normal use case for me. The feeling I get from aliases is that they are finicky. The idea that you could setup an alias and get one result, and that I could setup a similar alias (I used a /28 network, not a single host in my test) and get a different result bears this out. I get the same vibe when reading through bugs like https://redmine.pfsense.org/issues/9296 There is lots of interesting reading in redmine about aliases. I hope that aliases are working well for most people, but I do have to agree that at times they have "driven me crazy". John

@manatee Your best bet would be use pfBlocker-NG and use ASN numbers to create an alias to use in your firewall rules. [image: 1610712532378-screenshot-2021-01-15-at-12.08.01.png]

@just-enuff said in Packet Capture not seeing traffic within internal network communication: All of that being on LAN. So if i capture packets on the LAN interface in Pfsense wouldn't it do it from the gateway perspective with ip of 192.168.1.1? No. Read up on how switches work. Switches rely on the MAC address to forward the frame to the appropriate port. So, if A sends to B, pfSense on C will not even see it, let alone capture it.

@x_xavier_x Looks like I fixed my own issue. Added a rule so that anything going to the private network gets routed to default gateway, after that everything else is routed to the ATT gateway. [image: 1610638177203-capture.png]

@bb-mitch idk, I'm not using it every day but those few times that I used it I never really noticed the problem

@luckman212 Just in case people find this, I started a new post: https://forum.netgate.com/topic/159884/pfsense-pfctl-bug-clicking-x-does-not-kill-states I also have a new post on opnsense: https://forum.opnsense.org/index.php?topic=20901.0 I will try to keep both updated. Thank you for posting your success. I LOVE it when people do that. Can't stand when people don't follow up with their own question or just say "fixed it". So you sir, ROCK.

I try to bring this up again, maybe we will get an answer from somebody who is capable of answering this^^ best regards

@t-rr-ex maybe try to temporarily disable "Block bogon networks" under interface / wan i don't see any 5.102.x.x on my /etc/bogons, strange.. i don't have that option enabled, firewall rule are more than enought, maybe a bug or it was present on that old version you are using

@girkers said in Things not logged in FW: recommended Reject rule And where is that recommended? If you would of showed us that from the start - could of answered you question in the first post.. That is not the default for lan by any means.. No info ends up with yet again multiple posts to pull info to try and help someone.. To solve their own pebkac problem.

@amello Well, finished my tests and got it to work. No changes to the ISP equipment. I might have a problem with that installation as changes are not applying after filters reloads. It takes over 5 minutes after it completes to start working. The box is an i5-3470 with 4MB RAM and the it's running using 1% of the CPU, so no other reason for the delay I can think of, besides some garbage inside that install. It is working now, but I can't say what caused to stop working in the first place (I do hate those it was working before and not it is not statement). If I find out will post again.

Thanks for the reply.

@smokinmojoe said in pfSense Default(hidden rules) visible(Read Only via GUI): Maybe these should be grey or red Hi, this is how you can influence this: https://docs.netgate.com/pfsense/en/latest/development/feature-requests.html