@johnpoz This even does this with the newest CE edition inside of UTM virtualized environment outside of the 2100s [image: 1752772658328-screenshot-2025-07-17-at-10.15.51-resized.png] It is not just the 2100s this is set up for standard stuff everything else works with it just the status page

@johnpoz I know KISS but I think the issue is I have Mac for all source and none for ffffffffffff broadcast set up….. maybe it’s now blocking that in 23.09 So I should have each interface have a approve ffffffffff MAC address also

@mcury I also had to disable some ethernet rules that all the sudden showed a lot of activity [image: 1702745498391-screenshot-2023-12-16-at-8.38.44-am-resized.png]

Could it be set flags SYN ACK ? and or state type keep or sloppy ?

@JonathanLee I block DNS over HTTPS to the firewall using unbound because I have unbound running DoT. My solution to the Nintendo griping about DNS was to route it out to 1.0.0.2. I was also having issues with unbound using the ephemeral ports I was using, interrupting my sensitive codel games so had change localhost's NAT outbound.

[image: 1686865232828-screenshot-2023-06-15-at-2.40.04-pm-resized.png] (Blocked IPV6 as my ISP does not hand out IPV6 addresses only IPv4) Per Netgate docs "Ethernet rules can use Aliases for L3 source/destination matching but there is no support for MAC Address aliases at this time." This works and shows traffic. Each IP has its MAC recorded into the rule. Working config, Squid, Squidguard, Snort, Lightsquid, Auth-NTP, DNS over port 853, Clam-AV, UpNp for xbox alongside floating Queue CODEL this is functional and other ACLs are still working with this version. I have set the top line to block out all IPV6 Test now running for 24 hours no issues.

@ciconet Here is how I did this, keep in mind I have approved specific site to only be spliced and not use MITM mode for those. First: Create a advanced config like this, [image: 1684694638657-screenshot-2023-05-21-at-11.42.45-am-resized.png] Second: Populate your file with the URLS you want to splice. [image: 1684694712213-screenshot-2023-05-21-at-11.44.42-am-resized.png]

@nasheayahu said in HAProxy - route by domain name: wwwkohanyimcom Host matches: no no www.kohanyin.com kohanyimcom Host contains: no no kohanyin.com I found the problem, my domain was spelled incorrectly...

that looks like solution. Thank you for the quick response

@dr_tech said in Possible to block certain websites using URL ?: Is such a provision available ? Yes, I thought pfBlockerNG would be a good solution. See the answer to your question at the attached link: https://forum.netgate.com/topic/138029/acl-s-support In particular, focus on the recommendation of @BBcan177 (maintainer and creator of pfBlockerNG)

Meanwhile i tried your 2nd suggested workaround, and after a while i got it to work. What have i done? turned off redistribution of connected networks (be careful, you might loose access to the device) under "OSPF Areas", i created Area 1 with the ID of 0.0.0.1 entered 10.1.1.0/24 under "Route Summarization" -> "Summary Range" -> "Summary Prefix ", this matches the subnet entered to OpenVPN under "Tunnel Settings" -> IPv4 Tunnel Network under "OSPF Interfaces" i set the ovpn interface to be in Area 1 marked it as "Interface is Passive", because vpn clients do not need to participate in OSPF and i changed the network type from "Not specified (default)" to "Point - multipoint" With this setting, on the LAN side the Catalyst L3 was able to see 10.1.1.0/24 advertised from the FW, and only that subnet was advertised. The firewall was able to see all advertised routes from LAN from the beginning (after auth and a few basic thing was set up). If i left the interface type on default or set it to point-to-point, there was nothing advertised from Area 1 , other types seemingly did the trick. From the working ones i picked P-MP which sounds OK for the VPN clients subnet. If i removed the summary from Area 1 config, and the if type was "p-mp" or any of the working iftypes from aboove, there was only a /32 host route announced with the ovpn server address, despite a few clients were connected. The iftypes which yielded no redistribution, still remained silent irregardless of the value of the summary network.