Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    1. Home
    2. Tags
    3. firewall
    Log in to post
    • All categories
    • C

      Crash del firewall
      Italiano • crashing gui firewall • • crc_error_79

      1
      0
      Votes
      1
      Posts
      131
      Views

      No one has replied

    • X

      Firewall not blocking specific hosts
      Firewalling • firewall host name • • x12eape12x

      9
      0
      Votes
      9
      Posts
      271
      Views

      X

      @johnpoz I have it done through the host now. I'll get the opt port setup later today I'm just not by the device to do so now.

    • F

      Matrix Synapse behind HAProxy on pfSense
      Cache/Proxy • haproxy matrix synapse firewall rules • • frostys

      2
      0
      Votes
      2
      Posts
      484
      Views

      B

      Got mine working here with Pfsense, HAProxy and the same Ansible script.
      Matrix Federation Tester Output

      { "WellKnownResult": { "m.server": "", "result": "Get \"https://MYDOMAIN/.well-known/matrix/server\": x509: certificate has expired or is not yet valid: current time 2021-12-30T22:11:39Z is after 2019-07-20T00:20:42Z", "CacheExpiresAt": 0 }, "DNSResult": { "SRVSkipped": false, "SRVCName": "_matrix._tcp.MYDOMAIN.", "SRVRecords": [ { "Target": "matrix.MYDOMAIN.", "Port": 8448, "Priority": 10, "Weight": 0 } ], "SRVError": null, "Hosts": { "matrix.MYDOMAIN.": { "CName": "matrix.MYDOMAIN.", "Addrs": [ "MY.IP.Addr.Rss" ], "Error": null } }, "Addrs": [ "MY.IP.Addr.Rss:8448" ] }, "ConnectionReports": { "MY.IP.Addr.Rss:8448": { "Certificates": [ { "SubjectCommonName": "MYDOMAIN", "IssuerCommonName": "R3", "SHA256Fingerprint": "mNxQhNc5kh0y/m0M/lNmUT6tH/ZagjQ+yd/fHuKqwRA", "DNSNames": [ "MYDOMAIN" ] }, { "SubjectCommonName": "R3", "IssuerCommonName": "ISRG Root X1", "SHA256Fingerprint": "Z63RFmsCCuYbj1/JaBPATCqliZYHloZVcqPH5zdhPf0", "DNSNames": null }, { "SubjectCommonName": "ISRG Root X1", "IssuerCommonName": "DST Root CA X3", "SHA256Fingerprint": "bZn7Jl6xxbN0R2X8vGSPPNjhv/r9xML5m51Hz3/xwk8", "DNSNames": null } ], "Cipher": { "Version": "TLS 1.3", "CipherSuite": "TLS_AES_256_GCM_SHA384" }, "Checks": { "AllChecksOK": true, "MatchingServerName": true, "FutureValidUntilTS": true, "HasEd25519Key": true, "AllEd25519ChecksOK": true, "Ed25519Checks": { "ed25519:a_uphM": { "ValidEd25519": true, "MatchingSignature": true } }, "ValidCertificates": true }, "Errors": [], "Ed25519VerifyKeys": { "ed25519:a_uphM": "X9d+yyyMpzQ/KmWXvTScn13Iiki/k8H5tyxii9y64rw" }, "Info": {}, "Keys": { "old_verify_keys": {}, "server_name": "MYDOMAIN", "signatures": { "MYDOMAIN": { "ed25519:a_uphM": "huZnEh+oLK2aKPspuQx5iq12e0QO3I1igbx2vZ513awgDHPieRuw1JUitm1z+kvWWFu6ZCT7W1dBFHyIann3Cg" } }, "valid_until_ts": 1640988673800, "verify_keys": { "ed25519:a_uphM": { "key": "X9d+yyyMpzQ/KmWXvTScn13Iiki/k8H5tyxii9y64rw" } } } } }, "ConnectionErrors": {}, "Version": { "name": "Synapse", "version": "1.49.2" }, "FederationOK": true }

      Your HAProxy Config would be helpfull

    • C

      Ipsec established but no data passing
      IPsec • ipsec firewall rules firewall ipv4 vpn tunnel • • craigerr1

      2
      0
      Votes
      2
      Posts
      426
      Views

      periko

      @craigerr1 is P2P? Mobile?
      Have u open the rules in both sides to allow traffic on your firewalls->rules->ipsec?
      Regards!!!

    • U

      DMZ connections throttled
      Firewalling • routing dmz firewall • • uruloki

      4
      0
      Votes
      4
      Posts
      317
      Views

      U

      @SteveITS From what I can tell, drivers are up to date.

    • T

      Reboot of PFSense Reboot Required to apply some changes
      General pfSense Questions • firewall config general discuss • • tompark

      2
      0
      Votes
      2
      Posts
      126
      Views

      johnpoz

      Other than an update of pfsense actual version, there should never be a reason to have to reboot pfsense.

      Common issue where people believe this is the case in change in firewall rules, and not working as they think... This is most likely related to existing "state" for whatever trying your trying to change what happens with. And the reboot clears all this. But if you do have an existing state causing a rule not to function as you believe - you can either kill that specific state, kill all the states or just wait for them to time out on their own, etc.

    • S

      Issue: I cant access anything on the LAN after initial setup
      Firewalling • setup nat firewall • • shaungehring

      12
      0
      Votes
      12
      Posts
      280
      Views

      AndyRH

      @shaungehring This sounds similar to an arp cache issue we had. We could not connect, ping it, then all was good. The network team did something to the arp cache on a switch to resolve it. I do not have details as it was many years ago.
      Maybe that will get you in the right direction.

    • H

      pfSense in shared WiFi rooming house security question.
      General pfSense Questions • wifi firewall public ip public ips port • • helionexusbiz

      3
      0
      Votes
      3
      Posts
      96
      Views

      stephenw10

      Technically you could do it by running pfSense as a virtual machine in Windows using hyper-V or VBox etc. But pfSense is a complete operating system, it cannot run as an application on your desktop. It expects to be running on it's own dedicated hardware but running virtualised can also work.

      Steve

    • N

      WebDav From Router through Firewall
      NAT • nat firewall pfsense 2.5 • • Nasten

      12
      0
      Votes
      12
      Posts
      608
      Views

      johnpoz

      VPN is much better way to access your resources from remote for sure ;)

    • N

      pfsense on an mpls network
      Routing and Multi WAN • pfsense firewall routing • • Norcarde

      1
      0
      Votes
      1
      Posts
      137
      Views

      No one has replied

    • L

      Can't create IPv4+IPv6 Firewall rule with an alias
      Firewalling • firewall rules ipv4+ipv6 alias • • leonroy

      4
      0
      Votes
      4
      Posts
      286
      Views

      JeGr

      @leonroy said in Can't create IPv4+IPv6 Firewall rule with an alias:

      What I ended up doing was sticking my PiHole IP address in an Alias as well and setting that as the Source alias. Not sure if that's the best way of doing it but it worked...

      If your PiHole should answer IPv6 and work with IPv6 it needs an IPv6 address. Without that makes no sense, then you can simply block all IPv6 alltogether. If your Pi has IPv4 and IPv6 then that's the right way, put both into the alias and use it in rules.

      That said I wouldn't work with invert rules but that's my approach.

    • L

      Virtual IP frequently loses Connection
      Firewalling • firewall routing virtual ip • • Lamia

      1
      0
      Votes
      1
      Posts
      115
      Views

      No one has replied

    • C

      Block set of domains for a set of LAN devices
      pfBlockerNG • firewall • • curtisj

      3
      0
      Votes
      3
      Posts
      217
      Views

      C

      @bbcan177 Thanks. I was hoping for a less involved solution. Though, I'll take what I can get.

    • imark77

      Bridging physical interfaces and VLANs, geting DHCP with no routing? Or is it
      L2/Switching/VLANs • vlans bridging rules firewall firewall rules • • imark77

      3
      0
      Votes
      3
      Posts
      215
      Views

      imark77

      edit:
      on the SG-3100 I have determined that I did not have the switch ports assigned/enabled to any vlans and after that it gave me DHCP on the lan ports and vlans. however I am still with the issue of some devices getting IP's and some not, on the same laptop over Wi-Fi nothing wired something. My travel AP does not support vlans so it has to be on the base level. and none of my non-Mac computers seem to be getting DHCP. And I don't know what caused it but I managed to crash my old router and ALL INTERNETs last night plugging in the new one to do a test. I went out and bought 4 manageed switches so I could break out all of my VLANs to test, and it was the only ez way to solve ingesting my multiple travel WAN VLANS ( local lan, Wi-Fi, Wi-Fi hotspot, wired LTE modem).

    • A

      Old Dell Poweredge 860 as a router/firewall
      Hardware • dell poweredge router firewall vpn • • AidenTheBot

      2
      0
      Votes
      2
      Posts
      179
      Views

      stephenw10

      That's using a Netburst Xeon right? It's not going to be fast. I don't have much to compare it with but waaay back when I was running a P4 2.8 it was good for ~300Mbps.
      I would expect that pass 400Mbps using firewall and NAT only but maybe not much more.

      Try it and see.

      Steve

    • alexandre.angeli

      IPSEC perdendo conexão
      Portuguese • pfsense ipsec firewall • • alexandre.angeli

      16
      0
      Votes
      16
      Posts
      213
      Views

      DaddyGo

      @alexandre-angeli said in IPSEC perdendo conexão:

      A IPSEC fica offline enquanto não usa, e comprovei o correto funcionamento, quando pingo ela "levanta" novamente.

      Hmmmm, mas:
      https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/keep-alive.html

    • M

      Error when adding network range to Firewall Alias
      Firewalling • firewall alias network range • • MartynK

      4
      0
      Votes
      4
      Posts
      89
      Views

      bingo600

      I just saw this
      https://forum.netgate.com/post/939135

      Seems like you can enter a range

      /Bingo

    • D

      Multiple Gateways on same subnet
      Routing and Multi WAN • multi-wan subnet gateway routing firewall • • dr_tech

      26
      0
      Votes
      26
      Posts
      1077
      Views

      D

      @JeGr said in Multiple Gateways on same subnet:

      Why not simply reconfigure those routers

      Because some devices (not mine) directly connected to router 1 have in their routing table certain rules to redirect traffic through 10.1.0.4. Hence those routers need to be on the same subnet.

      These routers are shared by around 20 people, in 4 rooms on single floor. Hence I cannot change settings on those routers.

    • D

      Possible to block certain websites using URL ?
      Firewalling • firewall block website acl access control • • dr_tech

      6
      0
      Votes
      6
      Posts
      202
      Views

      DaddyGo

      @dr_tech said in Possible to block certain websites using URL ?:

      Is such a provision available ?

      Yes, I thought pfBlockerNG would be a good solution. 😉
      See the answer to your question at the attached link:
      https://forum.netgate.com/topic/138029/acl-s-support

      In particular, focus on the recommendation of @BBcan177 (maintainer and creator of pfBlockerNG)

    • P

      PFSense throw looped back NS error
      Firewalling • firewall network problem error networking • • papanick

      1
      0
      Votes
      1
      Posts
      243
      Views

      No one has replied

    • W

      Restrição de acesso pelo túnel IPsec
      Portuguese • firewall firewall rules ipsec ipsec rules • • willaim

      1
      0
      Votes
      1
      Posts
      61
      Views

      No one has replied

    • D

      Solved: Cannot access beyond router via OpenVPN
      OpenVPN • routing firewall openvpn openvpn routing log • • ddbnj

      9
      0
      Votes
      9
      Posts
      273
      Views

      johnpoz

      @ddbnj said in Cannot access beyond router via OpenVPN:

      10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

      Yeah that would dick it up ;)

      Glad you got it sorted! Told you it wasn't pfsense ;) hehehehe

      The trick is getting the person to clearly see that themselves... Which is why the sniff proves to the user, hey pfsense is doing what its suppose to be doing... Have to look elsewhere..

    • Sergei_Shablovsky

      Packages of Aliases (Port + IP's + company AC) for easy administrating
      General pfSense Questions • packages admin gui firewall alias • • Sergei_Shablovsky

      13
      0
      Votes
      13
      Posts
      699
      Views

      Sergei_Shablovsky

      @viktor_g said in Packages of Aliases (Port + IP's + company AC) for easy administrating:

      @Sergei_Shablovsky said in Packages of Aliases (Port + IP's + company AC) for easy administrating:

      have a lot of Apple iOS devices in company/home and need to quickly add rules to pfSence after You buy new appliance from Netgate;
      company buy a software product that need to communicate with outside servers on a developer side;
      company buy a new hardware (servers (like IBM IMM service, Dell/HP have similar) , email antivirus DPI inspector, etc...), that need to communicate with outside servers on a developer side;

      Every appliance uses it own list of ports, that can be changed
      It is better to check this information with the vendor

      May be 5 or 7 years ago I was agree with You, because there are a huge bunch of SaaS services and the pool of IPs cannot able to be collected in reasonable timeslot.
      BUT now in 2020 exist only 30-100 SaaS services that used by MOST OF USERS: Amazon AWS, Google ~Servises, Apple, 5 email services (Google, Yahoo, ...), and around 10 most-usable hardware vendors (Dlink, TPlink, Amazon devices, Google devices, ...)

      Sorry, I need to repeat again:

      The main question are the most users just need "push button and all working well" solution. Just look at this NetGate forum - more than 80% are about something described in official doc, or more than one time appear on forum. But same questions popup again and again, again and again, countless.
      Even pinned on top of official pfBlockerNG part of this forum Bypassing DNSBL for specific IPs have words like CloudFlare. Rock... :)

      And from point of view of ordinary users if something goes wrong, each user clime the "NetGate pfSense router" rather himself for not setup pfSense correctly. You may see on this forum even sysadmins of small organization are to lazy to correctly setup the pfBlockerNG-devel. This is reality of our life.

      So at the bottom line are: if some solution exist on level "push button - and we do the rest" - more than 80% of users are happy with this. And buy more and more of pfSense devices, and recommend to others. NetGate are open source but not source of donation, this is "open source / business" balance.

      And my proposition also about increase the power of this "open source / business" balance.

      blocking using social networks (we all need that our stuff pay attention on work neither spent working hours on instagram, tinder, facebook, twitter...)

      You can block it with the pfBlockerNG-devel / DNSBL Category

      You can also find/add some specific DNSBL/IP lists there,
      Most cloud providers have these lists,
      check https://github.com/joetek/aws-ip-ranges-json
      https://forum.netgate.com/topic/147716/stun-public-email-providers-and-some-feeds-from-secops
      etc..

      Thank You for source! Appreciate Your attention and time!

    • H

      [Solved] Disable IP source routing
      Firewalling • firewall routing firewall rules • • h_b

      4
      0
      Votes
      4
      Posts
      327
      Views

      Gertjan

      No need tu put it off, because

      The style of routing described on that link won't work since pfSense doesn't enable the options for multiple routing tables

      So, what isn't implemented can't be switched off - neither on.

    • D

      FW Widgets on different IFs show the same entries
      Firewalling • firewall widget dashboard log • • demux

      1
      0
      Votes
      1
      Posts
      86
      Views

      No one has replied

    • N

      Multiple gateways and what seems to be Asymmetric Traffic
      Routing and Multi WAN • routing routing opt1 firewall aysmmetric multi wan • • Nicholas Elphick

      1
      1
      Votes
      1
      Posts
      115
      Views

      No one has replied

    • mohkhalifa

      Port Forward in Active CP
      Captive Portal • captive portal firewall firewall rules port forward port forwarding • • mohkhalifa

      6
      0
      Votes
      6
      Posts
      240
      Views

      F

      @Gertjan shodan.io is a service that scans the internet for known exposure and for vulnerabilities

      i remember you are french, so I link you here a video in French on the subject https://youtu.be/SxjmOFBtsvk

    • A

      I need to Create routes for my VLAN interface.
      Firewalling • firewall • • Ashwani27

      7
      0
      Votes
      7
      Posts
      228
      Views

      C

      I am also wondering about the same thing. If you found a fix then please do let me know. thanks in advance :)

    • C

      does pfsense behind router make sense
      General pfSense Questions • pfsense firewall nas forwarding home • • Ced

      8
      0
      Votes
      8
      Posts
      336
      Views

      Derelict

      Well it is up to the ISP device to provide reasonable support for a customer-owned firewall device while still providing the necessary IPTV, etc functionality.

    • F

      pfctl Anchor based approach possible?
      Development • firewall • • Flole

      3
      0
      Votes
      3
      Posts
      134
      Views

      F

      When I run an iperf UDP Test that involves pfsense as router and a filter reload is done there is packet loss while the filter is reloading. This is especially annoying if an IPv6 Gateway goes down, the filter is reloaded and this affects the IPv4 Link aswell. If pfsense could selectively reload ipv6 only if an IPv6 Gateway goes down that would make things a lot easier.

      This was not meant to be a "problem post" but rather a "couldn't we improve by splitting ipv4 and ipv6 rules in 2 anchors" though. My first idea was something that could be done in iptables but not pf: Have a list of rules we want and one with rules we have and issue the commands to make them match. The closest we could get to that is probably splitting up, comparing when we want to reload and only reload if last != current.

    • J

      Pfsense não consegue fechar mais de um túnel vpn
      Portuguese • vpn windows server rdp firewall • • junior-soares

      1
      0
      Votes
      1
      Posts
      145
      Views

      No one has replied

    • O

      Configuration of a Dedicated Management Interface on a SG-3100
      Firewalling • firewall sg-3100 mgmtaccess • • olgam1rth

      2
      0
      Votes
      2
      Posts
      192
      Views

      Rico

      Post your Rules (Screenshots).

      -Rico

    • G

      Restricting access to GUI from LAN - Still have access?
      Firewalling • firewall gui access alias • • gethersJ

      8
      0
      Votes
      8
      Posts
      243
      Views

      G

      @NogBadTheBad

      Hi,

      Sorry i should have mentioned, yeah my PC is on the 10.0.4.X network (just as a test PC) , the aim here was to loose connectivity to the GUI from my PC, then i have another one on the 10.0.7.X range that "should" get access to the GUI.

      After thinking about this last night I think I have sussed it out, we are going through a Proxy and this is the IP Address that accesses the Management GUI, hopefully I should be able to add some rules in our other proxy to avoid this Firewall bypassing it.

      Ill let you know if i have any more issues or if i need more help with this.

      Thanks for your help!

    • D

      Understanding Firewall Configuration
      Firewalling • rules firewall interfaces • • derian00

      1
      0
      Votes
      1
      Posts
      154
      Views

      No one has replied

    • H

      How can I find out, why pfSense is blocking an internal IP?
      Firewalling • firewall • • highc

      9
      0
      Votes
      9
      Posts
      1166
      Views

      johnpoz

      NP - glad you got it sorted..

    • S

      Feature Request: Have IPSec listen on all members of a Gateway Group
      Routing and Multi WAN • multi wan ipsec firewall routing • • SergeCaron

      1
      0
      Votes
      1
      Posts
      119
      Views

      No one has replied

    • I

      Disable logging for "Default deny rule IPv4"
      Firewalling • firewall • • ibbetsion

      3
      0
      Votes
      3
      Posts
      862
      Views

      I

      Thanks for the pointer to the settings tab. Dunno how I missed something so obvious!

    • I

      Should "Reserved Networks" be blocked when pfSense is behind an ISP router?
      Firewalling • firewall bogon • • ibbetsion

      3
      0
      Votes
      3
      Posts
      580
      Views

      johnpoz

      That is multicast noise most likely from your router it self, ie that 192.168.1.1, which seems odd that is being block by the ULA rule fc00::/7 ?

      If you do not want the noise, and your behind a nat.. Then either turn off logging of those rules.. Or create rules that specifically block the noise but don't log it.

    • I

      Finding devices with hardcoded DNS
      Firewalling • nat firewall dns • • ibbetsion

      3
      0
      Votes
      3
      Posts
      397
      Views

      I

      @elvisripley Thank you for that invaluable insight. I was able to make a few tweaks based on your guidance (caused lightbulbs to go off in my head!) and I am now able to see the queries!