The reason the problem happened in the first place is because of the monitor address that you used. pfSense will install a static /32 route for the IP address of the gateway monitor into the routing table, thus forcing all the traffic going to that IP into that link. You should perhaps use the IP address on the other side of the link as the monitoring address (usually the gateway).

@johnpoz Thanks, this is what I expected. The Edgerouters have no firewall on the LANs, so they don't maintain state (assuming I correctly understand the ER.) I thought the combined hosts+transit networks would be simpler (no manual gateways to configure ) and faster (one router transit, instead of two), but apparently, it doesn't work. I did try the "Bypass firewall rules for traffic on the same interface", but that didn't help - the LANs aren't on the same interface. I might try the manual fix on the Troubleshooting Asymmetric Routing page, but I will just go with your solution. I was hoping there was a way to completely disable the LAN firewall(s), but I don't see that option while keeping the WAN nat/firewall.

@mcbuckets Do you have different SSID & VLAN for some things?

@bmeeks No offence taken. I am inexperienced, but I am getting the hang of it more and more. I was recently able to setup my VLANs, site-to-site VPNs, limiting schedule for the kids and many other stuff at home and at work. At work I am using Meraki and HP and can get going without too much trouble. One of my issues with pfSense is that I do not find the GUI intuitive. That summed up with my inexperience do not make things always easy for me. But I usually need to get told something only once. I am getting more and more proefficient with networking, but firewall administration is an other story. I think I have it set correctly now. The DNS server of my clients is now the Gateway of the LAN. Adblocking does not seem to be applied by pfBlocker, but porn sites are blocked so I am getting there. Thanks again

@viragomann Thank you for the reply. I connected when the ovpn file went to 192.168.23.226. Changing that to my DDNS caused it to fail. Thus, the server works, it's getting past the router that I can't make work. As I said, port forwards and/or firewall rules in all manner of combinations did not work. All connection attempts ended in a 'hard reset'. No, I did not try any sniffers as I don't know how to use them. Besides, there's nothing to sniff. I'm assuming the objective I want to achieve is no different than someone trying to get through pfSense and into a server for any other purpose. I've done that before on several occasions using simpler routers. A simple port forward worked in those cases. Also, I forgot to mention, I used my cell phone as a hot spot to simulate trying to get in from out of the home. I used the verizon nework.

Just checked /tmp/rules.debug again today and realized the rule is in fact in there: antispoof log for $WAN tracker 1000001570 The WAN interface is getting a DHCP assigned address and gateway from the internet provider...so why is the rule above blocking a ping attempt to the gateway address assigned by the internet provider? Thanks!

thanks thanks thanks

use "Office 365 URLs and IP address ranges": https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

It sounds like you want no connection to anything and you want to only whitelist Google Drive/sync? Perhaps that's a better way to put it than block everything? Squidguard might be able to do that. I am only a little familiar with squid, but have never used squidguard. I don't know if it's the right tool for the job but someone with better knowledge of it might chime in. Edit, actually after thinking about this a little, you might be able to create an alias with all the google domains listed here https://support.google.com/a/answer/2589954?hl=en Then create a pass rule for that alias on your LAN. By default if you have no rules everything will be blocked anyway. So that one rule might be enough. This assumes your pfSense is not providing any other services to your LAN such as DNS, DHCP or anything else.

Ha, yup. Just drawing in more spam increasing the spam density.....

@armaclaren said in How to protect webservers / help make the ultimate setup: and only port 80 and 443 were allowed in. You are aware of the fact that all TCP and UDP request are blocked right at your door step, the WAN IP. TCP traffic using destination 80 and 443 are passed. Attacks, garbage and other noise will come in on 80 and 443. You could parse or inspect '80' traffic on pfSense but .... who uses 80 (clear http requests) these days ? Close to nobody. Traffic on port 443 could be inspected if you go the HAproxy way. Still, a great deal of your security plans have to be realized on the web server itself. The firewall can be at best a filter. @armaclaren said in How to protect webservers / help make the ultimate setup: SSL certificates for HTTPS With plain http you site will not be indexed by any search engine these days. https is a must. Server port 80 = http has become close to depreciated (but keep it up for now). Free certs from Letenscrypt or other sources are all the same. You could stand out by using a green one (if that notion still exists today). @armaclaren said in How to protect webservers / help make the ultimate setup: configure that to monitor your network for malware Your web server should be on a separated LAN segment, using a dedicated NIC on pfSense that is normally called a DMZ. On that network there isn't even a switch. Just the NIC of pfSense and on the other side your web server. Monitoring malware on a RJ45 cable is ..... useless. If something happens to your web server your other devices on other LANs won't risk anything. Your web server should react on valid https page requests. That's it. It should not accept files (executables ?) and the like. Common web servers like nginx and apache2 are all rock solid these days without the need of any special tools. The default set-up will do. If you accept that visitors upload files, you have to deal with them, pretty old school these days. There are some very good examples available on the net about how to do so - and how not to do so. Btw : web servers belong on web servers devices like a VPS or even a dedicate server that you rent from companies who do thus that. For me, hosting a public server behind an ISP type IP is not possible. I'm using a couple of them, for 20 years now. On these servers I do not use a firewall. I never found it useful to block ports that aren't opened = used = being served. And if some one comes in as root, the firewall is the first to fall anyway. I do use a tool like fail2ban, that blocks IP's if these are emitting suspected requests or are abusing (so, I do use the firewall after all^^) mail server : same story.

Loadbalancer ip 10.100.13.45 server 1 10.100.13.23 server 2 10.100.13.24 Go to outbond NAT Source 10.100.13.0 destination 10.100.13.0 translation address 10.100.13.45 i tested it work

@kiokoman said in TCP:FA & TCP:RA Blocks from VPN Provider address: If reply traffic such as TCP:A, TCP:SA, or TCP:RA is shown as blocked in the logs, the problem could be asymmetric routing or they are packets arriving after firewall has removed the connection state https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#troubleshooting-blocked-log-entries-for-legitimate-connection-packets +1 for "removed connection states" I see lots of ie. TCP-443 RA or FA (to misc. Web addresses) on my pfSense, They happens when i open the lid on my laptop , and wake it up. All the Amazon-AWS & Google sh.. stuff tries to resume , but the states has timed out on the pfSense a loooong time ago. /Bingo

@viragomann Thanks that fixed it!! I hadn't checked that for the one device I was using.

Restarted the router (pfSense) and the rule started working (without other changes). Now have Firewall Rules that do not allow outbound traffic without the VPN running, with the exception of the DNSSEC provider IP addresses (pinholes; port 853 only) and the VPN server URL (pinhole; port 1194 only). Can restart pfSense and the VPN comes up running. Turn off the VPN, no external traffic. Yea! The problem appears to have been a long running pfSense instance. The moral of this story is: When in doubt, reboot! How do I mark this resolved?

@viragomann Had this in another thread, we didn't find out why. I will talk to my ISP and change their box to router-mode, then I hopefully won't see such traffic anymore.

Or just that 100.68 is a Carrier grade nat IP.. 10.64/10 Well how it worked in the first place, is when it was working you were not on a CGNat IP..

I don't ever remember that particular list blocking anything legit but I suppose it could be possible.