@ddbnj said in Cannot access beyond router via OpenVPN: 10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 Yeah that would dick it up ;) Glad you got it sorted! Told you it wasn't pfsense ;) hehehehe The trick is getting the person to clearly see that themselves... Which is why the sniff proves to the user, hey pfsense is doing what its suppose to be doing... Have to look elsewhere..

@viktor_g said in Packages of Aliases (Port + IP's + company AC) for easy administrating: @Sergei_Shablovsky said in Packages of Aliases (Port + IP's + company AC) for easy administrating: have a lot of Apple iOS devices in company/home and need to quickly add rules to pfSence after You buy new appliance from Netgate; company buy a software product that need to communicate with outside servers on a developer side; company buy a new hardware (servers (like IBM IMM service, Dell/HP have similar) , email antivirus DPI inspector, etc...), that need to communicate with outside servers on a developer side; Every appliance uses it own list of ports, that can be changed It is better to check this information with the vendor May be 5 or 7 years ago I was agree with You, because there are a huge bunch of SaaS services and the pool of IPs cannot able to be collected in reasonable timeslot. BUT now in 2020 exist only 30-100 SaaS services that used by MOST OF USERS: Amazon AWS, Google ~Servises, Apple, 5 email services (Google, Yahoo, ...), and around 10 most-usable hardware vendors (Dlink, TPlink, Amazon devices, Google devices, ...) Sorry, I need to repeat again: The main question are the most users just need "push button and all working well" solution. Just look at this NetGate forum - more than 80% are about something described in official doc, or more than one time appear on forum. But same questions popup again and again, again and again, countless. Even pinned on top of official pfBlockerNG part of this forum Bypassing DNSBL for specific IPs have words like CloudFlare. Rock... :) And from point of view of ordinary users if something goes wrong, each user clime the "NetGate pfSense router" rather himself for not setup pfSense correctly. You may see on this forum even sysadmins of small organization are to lazy to correctly setup the pfBlockerNG-devel. This is reality of our life. So at the bottom line are: if some solution exist on level "push button - and we do the rest" - more than 80% of users are happy with this. And buy more and more of pfSense devices, and recommend to others. NetGate are open source but not source of donation, this is "open source / business" balance. And my proposition also about increase the power of this "open source / business" balance. blocking using social networks (we all need that our stuff pay attention on work neither spent working hours on instagram, tinder, facebook, twitter...) You can block it with the pfBlockerNG-devel / DNSBL Category You can also find/add some specific DNSBL/IP lists there, Most cloud providers have these lists, check https://github.com/joetek/aws-ip-ranges-json https://forum.netgate.com/topic/147716/stun-public-email-providers-and-some-feeds-from-secops etc.. Thank You for source! Appreciate Your attention and time!

No need tu put it off, because The style of routing described on that link won't work since pfSense doesn't enable the options for multiple routing tables So, what isn't implemented can't be switched off - neither on.

@Gertjan shodan.io is a service that scans the internet for known exposure and for vulnerabilities i remember you are french, so I link you here a video in French on the subject https://youtu.be/SxjmOFBtsvk

I am also wondering about the same thing. If you found a fix then please do let me know. thanks in advance :)

Well it is up to the ISP device to provide reasonable support for a customer-owned firewall device while still providing the necessary IPTV, etc functionality.

When I run an iperf UDP Test that involves pfsense as router and a filter reload is done there is packet loss while the filter is reloading. This is especially annoying if an IPv6 Gateway goes down, the filter is reloaded and this affects the IPv4 Link aswell. If pfsense could selectively reload ipv6 only if an IPv6 Gateway goes down that would make things a lot easier. This was not meant to be a "problem post" but rather a "couldn't we improve by splitting ipv4 and ipv6 rules in 2 anchors" though. My first idea was something that could be done in iptables but not pf: Have a list of rules we want and one with rules we have and issue the commands to make them match. The closest we could get to that is probably splitting up, comparing when we want to reload and only reload if last != current.

Post your Rules (Screenshots). -Rico

@NogBadTheBad Hi, Sorry i should have mentioned, yeah my PC is on the 10.0.4.X network (just as a test PC) , the aim here was to loose connectivity to the GUI from my PC, then i have another one on the 10.0.7.X range that "should" get access to the GUI. After thinking about this last night I think I have sussed it out, we are going through a Proxy and this is the IP Address that accesses the Management GUI, hopefully I should be able to add some rules in our other proxy to avoid this Firewall bypassing it. Ill let you know if i have any more issues or if i need more help with this. Thanks for your help!

NP - glad you got it sorted..

Thanks for the pointer to the settings tab. Dunno how I missed something so obvious!

That is multicast noise most likely from your router it self, ie that 192.168.1.1, which seems odd that is being block by the ULA rule fc00::/7 ? If you do not want the noise, and your behind a nat.. Then either turn off logging of those rules.. Or create rules that specifically block the noise but don't log it.

@elvisripley Thank you for that invaluable insight. I was able to make a few tweaks based on your guidance (caused lightbulbs to go off in my head!) and I am now able to see the queries!

I agree it seems like odd behaviour. It would be interesting to test with the bridge unassigned if you're able. That could be inconvenient to setup though. Steve

@Konstanti I attach a network diagram of my setup to make it clearer. This is what is weird, when I connect to the VPN from my phone on 4G (option 1 in the attached diagram), I don't get errors any errors just timeouts. I can access everything on the internal LAN and internet, except, I cannot login into certain webservices. When I enter my password and press login, it just stalls - the browser says it is "thinking / loading" and then nothing happens. After a long time I get a "Server not found" error in the browser. However, when I am on my phone on the internal wifi over the VPN (option 2), then I click login and get redirected instantly to the dashboard of the webapp. I can also reach the webapp from outside my network as I have a reverse proxy (option 3), and this works fine. The reason I want to set up the Mobile IPSec VPN is that I want to close down the reverse proxy I have set up so that I can only access my webservices over the VPN and not anymore expose them directly to the internet.

Tried killing the firewall states ?

@eddiemcdiarmid said in Firewall Advice: Hmm interesting. I don’t have any rules but the managed of the network I’ve named ‘external network’ can see my router. Is there a rule I can add to block them being able to access my network? Seeing your network and accessing your network are two very different things. You say both in your reply post above. The default block/deny rules on every pfsense install for the WAN interface, like @johnpoz talks about above, keeps people/hosts from accessing your network. You don't need to do it, but if you're really paranoid about that external network, you could set a specific block rule in your WAN interface to block/deny it's IP addresses. Again, you really don't need to do it, however. This is an example of the default settings and wording from an old version of pfsense, but I think the current versions still look like this on the WAN interface: Jeff

@juelmk said in No inbound traffic coming into my WAN: When I set my WAN interface to get dhcp address from the modem it get 0.0.0.0 Well then how would it work? You sure your own the pfsense wan interface plugged into your router? You sure the cable is good? When pfsense does get an IP you need to make sure that your wan and lan of pfsense do not overlap - ie they can not be the same network 192.168.0/24 for example

That'll do it!

@m0nji said in Whitelist-Ansatz für Windows- und Programmebene: Allen nicht explizit legitimierten (ausgehenden) Datenverkehr unterbinden: @jegr said in Whitelist-Ansatz für Windows- und Programmebene: Allen nicht explizit legitimierten (ausgehenden) Datenverkehr unterbinden: Snort+OpenAppID Application Filtering on pfSense ist vollkommen an mir vorbei gegangen. Danke für die Richtigstellung. Kein Problem, gerne. Steht leider noch auf meinem ToDo Zettel zum Testen aber leider dank Krankheit und Arbeit noch nicht dazu gekommen ;)

Fiz um novo teste com outro cabo e funcionou, problema resolvido.

poderia relacionar quais foram os hosts que colocou:?

@EdIlS0N-LiMa Poblema resolvido,, não era regra de firewall, e sim configuração no servidor samba. adicionei a rede 192.168.10.1/24 no meu smb.conf e resolveu.

That's great to hear! As far as the YouTube content... Hmmm that's a tricky one! Might be a little bit beyond my pay grade! Ruling out a coincidence, I'd be thinking it's something to do with the port that they use or a connection (firewall state) being kept open, but I'd only be guessing.

There are many how to's on the youtube and interwebs. Here is one I have saved Youtube Video Skip the pfsense install part as it goes through the whole process from pfsense setup to squid, to squidguard, and lightsquid. Squidguard itself is not hard to setup once you have setup you squid transparent proxy which is basically enabling squid, checking transparent proxy, settings caches and that's it for squid then switch to squidguard and configure it. I have squid setup as an HAVP sine it is built into the squid package now and not a separate package before 2.3. Overall there is are many video and guides with pictures to assist in setting up or helping troubleshoot pieces of pfsense you need help with when you google for it such as in your case "pfsense squidguard setup". Don't hesitate you use your Googlefu.

I imagine you will fine routing at the firewall between the internal subnets. That hardware is probably far in excess of what you need. Steve

If you just want to do DNS bases blacklisting you could take a look at pfBlockerNG.

I stand corrected! ~Mat

@medikopter said in OpenVPN TLS Fehler: Das klingt ja eigentlich ganz cool und simple, allerdings scheitere ich schon an der Umsetzung eines Failover. Nunja, aber das sind ja auch zwei verschiedene paar Stiefel ;) VPN auf beiden Interfaces zum Laufen zu bringen ist wesentlich leichter, weil du nichts umschalten/routen/sonstwas musst. Daher überhaupt nicht schwer. Also das er das Interface automatisch wechselt wenn eins Down ist. Es genügt doch eine Gateway Gruppe zu machen und die bei den Regeln auf dem LAN einzusetzen?