Found the issue. Not PFSense but FreePBX. I didn't add site B's network to my asterisk settings. Incase anyone else has this issue!

I solved the problem: 1/ Delete all log files from the /var/log/ folder. rm /var/log/*.log 2/ Restart pfSense.

@johnpoz great! thanks for the explanation. will use that example and modify for my setup.

Ok - but if you don't have relay or dhcp enabled on an interface. There will be no rules for allowing dhcp/relay of dhcp. So yes if you are logging all default blocks - then you would see discover of dhcp blocked in the log, even if you have some other device on that same network answering dhcp. It would just be log spam at this point. You could setup a rule not to log that traffic if you wanted. But if your seeing some 172.16.16.16 address spamming your log via some broadcast on some odd 63xxx port I would track down to see what is spewing that out and figure out why.. Before you just not log it.. Have you found the mac address yet, it really should only take you 1 minute if your seeing the traffic as much as you say you are.

If the rule was not deleted you can find it sure.. pfctl -vvsr Would show you ID numbers.

If its a state exhaustion attack, that can be sometime mitigated at the firewall.. Are you trying to block countries they are coming from? Not sure what your tying to do with pfblocker. Your going to have to show us what your trying to do with pfblocker.. Do you have a list of known bad IPs that are being used in the attack, a list of ASNs? IP ranges? IPs from countries? Create your alias that lists the ips you want to block and put it in front of your port forward on your wan rules. IPS could be used to filter traffic based on some signature that distinguishes good traffic from bad traffic to the same port. But as stated if its a volumetric attack - there is nothing you can do on the firewall.. A volumetric attack has to be mitigated upstream of your pipe, be it 1gig, 10gig or 100 even..

Agreed that is not ssh, but his top ssh rule shows no hits.. But as I stated we are not seeing the whole picture here.. We have no idea what those bottom rules are - they are not using aliases, and they don't show what the port or dest IP are even. But they do have hits.

@flegy said in VPN pfBlockerNG: I am using pfSense as NAT to my web server, The best solution will be, if you want a serious solution (then you don't always have to worry about VPN IPs): CDN = https://www.cloudflare.com/plans/ penny stuff a month = 20

What is the wan IP of the router? If its cgnat (10.64/10), or rfc1918 then no your not going to be able to reach it from the internet unless your ISP has setup a port forward for you. I really have no idea what this means? IP Public Dinamic & Private Is your connection via PPPoE? And you have a rfc1918/CGnat? Address and then actual public IP for the PPPoE interface? ICMP has no port.. So it can be difficult to forward. What I would suggest you do for testing is pick some tcp port.. Lets say 4444 or something... Setup that forward on edge router (isp device) to forward to the wan IP of pfsense behind it... Now sniff on pfsense wan interface for that port.. And then go to can you see me . org and generate traffic to that port.. You should see it in your sniff.. Be it pfsense is forwarding or allowing or not, etc.. [image: 1608203934108-test.png]

@viragomann I moved the cables of LAN NIC FW1 and of WAN NIC FW2 to a dedicated switch. I then cleaned up the various rules of both firewalls because evidently by doing continually test then some rules overlapped each other. Now the gateway goes and from the LAN of FW2 I can navigate passing through FW2 and FW1. Thanks for your help.

@bkraptor Super helpful!! Thank you! It makes sense to me now.

@derelict Yeah I already linked too redmine, and told him the same thing ;) But he is saying he has no vip, etc.. So yeah would like to see his full rule set to see why this is happening. Also he is using 2.5 - so its possible there is something going on when there shouldn't be.. Really need to see the full rule list to know what is going on.

You don't need your isp to use IPv6.. As mentioned already just get a free tunnel from HE. Its FREE, and you can get a /48 from them.. https://www.tunnelbroker.net/ Takes all of a few minutes to setup with pfsense.

@johnpoz at the moment I have separated the ALIAS FQDN from the numeric ones and I have created specific rules for the FQDN ones and at the moment everything seems to work smoothly, however I hope that the developers correct the problem

Yeah told you right up front wasn't pfsense ;) Glad you got it sorted.. Can just delete this whole thread if you want. But should leave something showing the R in the log, and how that is just pfsense blocking what is out of state traffic, etc. Unless you see S on the log, it means the traffic is out of state for whatever reason.. And yeah that will be blocked by any stateful firewall ;)