Post up a screenshot of your rules. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated. If your saying your not seeing any hits on your rule either in the interface firewall tab (the 0/0 in states column) or the log when you have the rule set to log. Then its not being triggered. Most likely because you have the rule written in such a way its not matching. So show us the rules you actually created via a screenshot, and then the log entry your seeing..

@lilmonkey said in Sample firewall policy home network: I am interested in some samples as well. each network is different (SOHO, Enterprise, etc.) there is no one that can present a sample for your network... without prior information, - and knows nothing about your devices and plans (you can learn the philosophy of pfSense (NGFW) from the links provided - of course you should also have networking experience) pls. post a planned network topology and you'll get plenty of help BTW: what do you mean by this VoIP thing

nah! doesn't do a thing! As long as the VIP is existing, the second filter gets created and therefore applies the Block to anything not coming from whatever the VIP's IP is. The VIP itself is created automatically by pfBlocker. So no way around the !Net Problem. However - it should'nt have any impact as the rules effect is applied by default deny anyway. --> geoIP... another topic for another day. ;-) take care P

@bughit System > Advanced, Firewall & NAT [image: 1609915621347-screen-shot-2021-01-06-at-1.46.02-am.png] https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html

@viragomann You were absolutely correct about the firewall. This was a windows 10PC that I put on that network and just assumed (I know, my bad) that it wouldn't be a problem. After turning that off, the pings went through just fine. In addition, pings from other devices on the LAN also return, thanks for your suggestion.

@whitetiger-it Yeah, seems to got the wrong link. But load balancing is another feature of haproxy. There is no need to use it. Simply you set up each of your internal web servers as backend. Then configure your host names as frontends. In this settings you can state a backend to use for that host name. So if you have a unique host name in the frontend and stated only one backend, there is no load balancing at all.

The issue is hardware related. An USB-Ethernet adapter is giving me trouble. Internet and IPTV are working after switching (not replacing) nics. WAN: Onboard (1Gbps) LAN: PCIe (1Gbps) STB: USB (100Mbps)

@kiokoman said in subnet routing: if the network is ok only a firewall rule is needed so you can exclude any other settings? > Perfect, good to know. Thanks.

@johnpoz Awesome. Thank you so much!

Feeling really silly and slow due to my findings....LOL In any case, I would like to thank everyone for the responses and assistance provided. After looking at the packet dump and analyzing the network I discover that Win10 was the issue. For some reason the FW was seeing Win10 out sequence and blocking the UDP:43 and TCP:S for TLS over 443/ Now the rules is set as previously presented and working wonderfully!!! Thank you again guys, much appreciated!!!

@viragomann Thanks for saying. I'll keep an eye on this. For now torrents are downloading. I was bothered by the FW log because it mentioned rule I failed to locate, making me belief actions were performed against my design. It's interesting of the perspective shifts, from looking to place tech at home capable of filtering traffics at best; to asking on forum why can't the tech just allow it all .

@gertjan said in Pfsense has DPI with SSL / TLS / SSH Decryption?: pf (and iptables for that matter) handle Ethernet traffic, so called packets upon the headers of these packets. Actually, it handles IP traffic, including IPv6. I'm sure it would work equally well on token ring or arcnet frames.

@nurullahcan said in There is urgent support internet pinging googley but: There is urgent support internet pinging googley but I do not give internet to the local network, I get ip but I cannot access the internet Easy !! Install again. Do not change any settings. No, do not change settings ! Everything will be fine now. Accessing Google will work. The access to the entire Internet will work. ( kept phrases simple and easy to translate )

@bambos said in Rules order changes pfblocker - OPEN VPN issue: is this GEO IP blocking for bad reputation IP's or everything ?? I'd suspect GeoIP blocking, however, check your firewall logs to find that out.

@johnpoz said in Need help with my VLAN firewall rules to make sure they do what I think they do: While I am a fan of pihole - this is just borked.. Totally agree .. Fix for an old outdated OS , and "bork" everyone else. Same goes with some of the nonsense they are trying to do with dnssec.. If your going to forward, dnssec is pointless - he doesn't get that either.. I thought they wouldn't touch DoH at all as "PH is not a security product" Maybe we should fork their code ;) He..He Intriquing , but i doubt i have time for that. /Bingo

I dropped off to go watch a movie, but am back now. One thing I noticed, is when I am doing a endless ping of www.google.com, going back to the dashboard traffic graph, I am seeing a pretty constant 50 B/s load on the VPN interface. So that tells me traffic IS going to the VPN interface from OPT2. You see exactly when I stopped the ping too. [image: 1609036702141-traffic-graph.png]

@netblues I see. That makes sense. Thank you!

@bingo600 said in WebGUI access from OPT to LAN: s i don't want to create a google account just for that. Worse. I have a google account, and I'm logged in. Still [image: 1608970489764-b929e7b8-5d0b-4a2b-bec8-9118f011dc45-image.png] What about hitting Ctrl-V to paste an image here ? Like : I just did above. @ netgate_newb : Remember the firewall rule you found on the LAN interface when you started pfSense the first time ? that's an important clue. Create the same one on your OPT1 interface. You could even "Copy" the rule found on LAN, and change the Interface to OPT1 and change the source from LAN-net to OPT1-net and done. PORTAL is my renamed OPT1 interface : This one will do : [image: 1608970977733-dab78120-ca5c-436e-bcc0-3ce7698fc733-image.png]

@gertjan The question was not about "why it happens". The question was "how to avoid it happens". I deactived the firewall rule that pass all connection to the 443 port. This avoid the webGUI being visited from outside.