Then, at least undo this : @hacksmith said in Whatsapp voice and Video call not Working?: LAN to WAN only 80, 443 allowed for all nodes. and put back default LAN rule you found when on LAN when you installed pfSense. Aren't your LAN clients not complaining ?

@bwoodcock Thanks for your help. It seems I believed that this was a bigger issues than it really is. Your assistance is greately appreciated. This issue is now closed.

@gertjan said in Allowing only specific DNS server through firewall: The rule with a red line in front of them : [image: 1607606460036-1805b28a-9c76-4fb5-ad1e-46e6a1a59f10-image.png] are disabled right now. Yes, Thank you for taking the time to reply. As I explained in my post, they are temporarily disabled because when I turn them on, DNS on the network stops working. What I am trying to accomplish is for DNS to work once these are enabled. I am going to try the NAT:ing suggestion above.

@mh-nz You can get around that with the following workaround: Create a reject non-quick floating rule that is fairly specific to the traffic in question. On this rule, do not select any interfaces. Create a second pass non-quick floating rule that passes the same traffic. This time, select the WAN interfaces, and set the direction to "out". This should prevent states from being created on the loopback interfaces as the reject rule matches all (including loopback interfaces), and the pass rule overrides the reject rule only for the given WAN interfaces

@ericnix said in Suricata & Citrix Workspace: @bmeeks Thanks for all your help with Suricata. I've noticed that my UDMP's network scanner triggers a lot of alerts shortly after midnight. I don't want to supress the alerts, but would like to block them by IP (10.0.1.1 is my router's address). I have the pass list checked to ignore gateway devices, which my router is listed as in pfSense. Any suggestions on how to get these alerts to go away? Basically they're port scans. No, if they trigger the rule they will continue to trigger rule. You can suppress alerts by source or destination IP if that helps. So if the port scan is triggered by a particular device in your network doing something legit, you can suppress the alert for that particular IP. Hover over the icons on the ALERTS tab and little tooltips will pop up showing you what each icon does. Under the SRC and DST columns there are icons for suppressing that alert (identified by the GID:SID combo) when the Source (SRC) or Destination (DST) IP address matches. So assuming your scanner machine has the IP 10.0.1.5, suppressing by Source IP would put a line in the Suppression List that basically says "when the source IP is 10.0.1.5, then don't fire this rule". Snort had the same feature if you used it. If not, consult the official Snort documentation and search for "rule thresholding". That is the official name for the suppression action.

@mobydick426 uhm i've made some tests and nothing is passing without a firewall rule tcp client is blocked, udp also Dec 7 15:23:17 WAN USER_RULE (1559836757) 93.36.17.251:36738 217.133.xx.xxx:48570 UDP Dec 7 15:23:14 WAN USER_RULE (1559836757) 93.xx.xx.251:36738 217.133.xx.xxx:48570 UDP Dec 7 15:23:02 WAN USER_RULE (1559836757) 93.xx.xx.251:36738 217.133.xx.xxx:48570 UDP Dec 7 15:14:31 WAN USER_RULE (1559836757) 93.xx.xx.251:36228 217.133.xx.xxx:48569 TCP:S Dec 7 15:14:28 WAN USER_RULE (1559836757) 93.xx.xx.251:36162 217.133.xx.xxx:48569 TCP:S [image: 1607351268930-immagine.jpg]

@johnpoz said in How can i access the host from different interface and different subnets?: Your not really using /16 are you? I didin't notice.

@kiokoman said in enable access to web portal: pfctl -d THANKS YOU SOOOO MUCH : ) pfctl -d this worked

@viragomann said in No Internet with smartphone 4G: @whitetiger-it System > General Setup In General Setup / SNS Server settings there are only the two Google DNS. Where is 192.168.43.2? Now with WAN DHCP I have address 192.168.43.106, but the Gateway is always on 192.168.43.2 This is actually the IP of the Access Point, but if pfSense looks for the DNS here we are in bad shape.

@hebein yes, you only need to put that inside drop.conf and all the compromised ip will be blocked i have this inside mine emerging-ciarmy,emerging-compromised,emerging-dshield,emerging-coinminer this way I don't need to change rules one by one

@lovidi6842 said in Pass list is not working in Suricata on PFSENSE ( latest version ): @teamits Thanks you <3 Or, if you have Inline IPS Mode enabled, there is no Pass List option then as it is not used in that mode. For Inline IPS blocking, you need to create your own Custom Rules with the PASS action. But in reality the Pass List function is really not needed with Inline IPS Mode.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html -Rico

Hi, You swa "Mangle" and "postrouting" which means an iptables is in play. iptables == Linux only. From what I know, the firewall pfSense uses (based on FreeBSD != Linux) can not / doesn't permit us to modify the portal network's outgoing packet so it's TTL gets reset to 1. Not by using the GUI. CLI : I don't know - guess not. Btw : I saw this question subject several times on this forum. https://forum.netgate.com/topic/152379/how-to-change-captive-portal-ttl-value/2?_=1606902129387 And https://lists.freebsd.org/pipermail/freebsd-net/2005-April/007098.html (ok, this is old.) https://forum.netgate.com/topic/9813/rogue-access-points?_=1606902129390 Maybe a question for FreeBSD itself, there where they develop pf and ipfw, as both are just for the captive portal.

@awebster said in Which is faster?: Logically more CPU cycles will be used to process multiple rules than to process a single rule containing multiple addresses, as it can use an address lookup table to speed things up significantly. That's what I suspected. tnx