@michmoor imagine you have an invasive container running on a machine the OS detect would know it's not the primary OS, and block out those packets, containers like Kali on docker. It would see it as it will not match the original host system.

@viragomann
that did work, anything else I can try?

@cg50000p
You don't need to trun off any software firewall, there's no way they will conflict. But you may have to configure both depending on what it's doing now.

Don't be afraid of pfSense, it literally will just work once installed so you can plug it in, and then learn it over time but you'll still have your internet working.

@viragomann it's ok problem solved i can ping Local machine on LAN network after configuring check box redirect gratway

@msadmire said in EasyRule Not Functioning:

How can I get this to work from a (non-root) SSH session?

Install and configure the sudo package first, then use sudo to run the command. It's not a part of the base system.

@przemyslaw85 dzięki za odpowiedź. Jedynie zacząłem używać czasami wireguarda na komórce. Do stronki www mam wykupiony hosting. Póki co mam zintegrowaną kartę intela + tplinka ale chcę kupić właśnie jakąś intela. pfBlocker jeszcze nie konfigurowałem (używam snorta) Mój PC (router) to dell optiplex 7010 i5-3570 16GB ram i SSD 256GB

Pozdrawiam

Yes, you could certainly route between the firewalls. But you need to use a separate transport subnet between the two firewall interfaces and then add gateways and static routes between them.
That way you avoid asymmetric routing and can properly filter traffic at both ends.

If they have separate ISP uplinks you can also setup each as a failover for the other.

Steve

@akinori said in Allow traffic:

going to let traffic coming from LAN interface going out to WAN and vice versa?

By default pfSense will pass all traffic out and in on the LAN interface. WAN blocks all inbound traffic by default and will allow all outbound traffic without any special rules.

@tbr281 said in Block redirect:

Just wish it would redirect it.

Even "dirty websites" use TLS these days. Easy to recognize, their URL starts with https://

Without drastic measure on your LAN, that is, all your web visiting devices and pfSense, you can't redirect https://"dirty websites" to https://DuckDuckGo
Your browser won't allow this.
The test : is the host name "dirty websites" present in the certificate obtained ? will fail.
Have a look :

e2e336b4-a7bf-4b88-ab68-5e617416ed3b-image.png

That's doesn't look like "dirty websites" : your browser will refuse the connection.

If it was possible, you would also be able to redirect https://some-bank-acess-you-use to https://some-bank-access-you-use, and because you control some-bank-access-you-use (and your site looks identical to some-bank-acess-you-use), now you get the access credentials.
And five minutes later you can access https://some-bank-acess-you-use with the credentials you've obtained, and do what you want.
The thing is, why would you ask if something if possible if you don't want it to be possible ?
After all, https://"dirty websites", or https://facebook.com or https://some-bank-acess-you-use or https://some-bank-acess-you-use, for your PC, switch, pfsense, upstream routers of your ISP etc, its all the same : a connection to some server over port 443, TCP.

@jarrodsfarrell Did fix the DNS IPv4+6. Post filter is getting tripped so I can't edit my post.

vlan 0 is reserved

@johnpoz I have it done through the host now. I'll get the opt port setup later today I'm just not by the device to do so now.

Hi @Baker0052 keen to share your haproxy conf. I have the same problem and cannot figure it out.

@craigerr1 is P2P? Mobile?
Have u open the rules in both sides to allow traffic on your firewalls->rules->ipsec?
Regards!!!

@SteveITS From what I can tell, drivers are up to date.

Other than an update of pfsense actual version, there should never be a reason to have to reboot pfsense.

Common issue where people believe this is the case in change in firewall rules, and not working as they think... This is most likely related to existing "state" for whatever trying your trying to change what happens with. And the reboot clears all this. But if you do have an existing state causing a rule not to function as you believe - you can either kill that specific state, kill all the states or just wait for them to time out on their own, etc.

@shaungehring This sounds similar to an arp cache issue we had. We could not connect, ping it, then all was good. The network team did something to the arp cache on a switch to resolve it. I do not have details as it was many years ago.
Maybe that will get you in the right direction.

Technically you could do it by running pfSense as a virtual machine in Windows using hyper-V or VBox etc. But pfSense is a complete operating system, it cannot run as an application on your desktop. It expects to be running on it's own dedicated hardware but running virtualised can also work.

Steve

VPN is much better way to access your resources from remote for sure ;)

@leonroy said in Can't create IPv4+IPv6 Firewall rule with an alias:

What I ended up doing was sticking my PiHole IP address in an Alias as well and setting that as the Source alias. Not sure if that's the best way of doing it but it worked...

If your PiHole should answer IPv6 and work with IPv6 it needs an IPv6 address. Without that makes no sense, then you can simply block all IPv6 alltogether. If your Pi has IPv4 and IPv6 then that's the right way, put both into the alias and use it in rules.

That said I wouldn't work with invert rules but that's my approach.

@bbcan177 Thanks. I was hoping for a less involved solution. Though, I'll take what I can get.

edit:
on the SG-3100 I have determined that I did not have the switch ports assigned/enabled to any vlans and after that it gave me DHCP on the lan ports and vlans. however I am still with the issue of some devices getting IP's and some not, on the same laptop over Wi-Fi nothing wired something. My travel AP does not support vlans so it has to be on the base level. and none of my non-Mac computers seem to be getting DHCP. And I don't know what caused it but I managed to crash my old router and ALL INTERNETs last night plugging in the new one to do a test. I went out and bought 4 manageed switches so I could break out all of my VLANs to test, and it was the only ez way to solve ingesting my multiple travel WAN VLANS ( local lan, Wi-Fi, Wi-Fi hotspot, wired LTE modem).

That's using a Netburst Xeon right? It's not going to be fast. I don't have much to compare it with but waaay back when I was running a P4 2.8 it was good for ~300Mbps.
I would expect that pass 400Mbps using firewall and NAT only but maybe not much more.

Try it and see.

Steve

@alexandre-angeli said in IPSEC perdendo conexão:

A IPSEC fica offline enquanto não usa, e comprovei o correto funcionamento, quando pingo ela "levanta" novamente.

Hmmmm, mas:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/keep-alive.html

I just saw this
https://forum.netgate.com/post/939135

Seems like you can enter a range

/Bingo

@JeGr said in Multiple Gateways on same subnet:

Why not simply reconfigure those routers

Because some devices (not mine) directly connected to router 1 have in their routing table certain rules to redirect traffic through 10.1.0.4. Hence those routers need to be on the same subnet.

These routers are shared by around 20 people, in 4 rooms on single floor. Hence I cannot change settings on those routers.

@dr_tech said in Possible to block certain websites using URL ?:

Is such a provision available ?

Yes, I thought pfBlockerNG would be a good solution. 😉
See the answer to your question at the attached link:
https://forum.netgate.com/topic/138029/acl-s-support

In particular, focus on the recommendation of @BBcan177 (maintainer and creator of pfBlockerNG)

@ddbnj said in Cannot access beyond router via OpenVPN:

10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

Yeah that would dick it up ;)

Glad you got it sorted! Told you it wasn't pfsense ;) hehehehe

The trick is getting the person to clearly see that themselves... Which is why the sniff proves to the user, hey pfsense is doing what its suppose to be doing... Have to look elsewhere..

@viktor_g said in Packages of Aliases (Port + IP's + company AC) for easy administrating:

@Sergei_Shablovsky said in Packages of Aliases (Port + IP's + company AC) for easy administrating:

have a lot of Apple iOS devices in company/home and need to quickly add rules to pfSence after You buy new appliance from Netgate;
company buy a software product that need to communicate with outside servers on a developer side;
company buy a new hardware (servers (like IBM IMM service, Dell/HP have similar) , email antivirus DPI inspector, etc...), that need to communicate with outside servers on a developer side;

Every appliance uses it own list of ports, that can be changed
It is better to check this information with the vendor

May be 5 or 7 years ago I was agree with You, because there are a huge bunch of SaaS services and the pool of IPs cannot able to be collected in reasonable timeslot.
BUT now in 2020 exist only 30-100 SaaS services that used by MOST OF USERS: Amazon AWS, Google ~Servises, Apple, 5 email services (Google, Yahoo, ...), and around 10 most-usable hardware vendors (Dlink, TPlink, Amazon devices, Google devices, ...)

Sorry, I need to repeat again:

The main question are the most users just need "push button and all working well" solution. Just look at this NetGate forum - more than 80% are about something described in official doc, or more than one time appear on forum. But same questions popup again and again, again and again, countless.
Even pinned on top of official pfBlockerNG part of this forum Bypassing DNSBL for specific IPs have words like CloudFlare. Rock... :)

And from point of view of ordinary users if something goes wrong, each user clime the "NetGate pfSense router" rather himself for not setup pfSense correctly. You may see on this forum even sysadmins of small organization are to lazy to correctly setup the pfBlockerNG-devel. This is reality of our life.

So at the bottom line are: if some solution exist on level "push button - and we do the rest" - more than 80% of users are happy with this. And buy more and more of pfSense devices, and recommend to others. NetGate are open source but not source of donation, this is "open source / business" balance.

And my proposition also about increase the power of this "open source / business" balance.

blocking using social networks (we all need that our stuff pay attention on work neither spent working hours on instagram, tinder, facebook, twitter...)

You can block it with the pfBlockerNG-devel / DNSBL Category

You can also find/add some specific DNSBL/IP lists there,
Most cloud providers have these lists,
check https://github.com/joetek/aws-ip-ranges-json
https://forum.netgate.com/topic/147716/stun-public-email-providers-and-some-feeds-from-secops
etc..

Thank You for source! Appreciate Your attention and time!

No need tu put it off, because

The style of routing described on that link won't work since pfSense doesn't enable the options for multiple routing tables

So, what isn't implemented can't be switched off - neither on.

@Gertjan shodan.io is a service that scans the internet for known exposure and for vulnerabilities

i remember you are french, so I link you here a video in French on the subject https://youtu.be/SxjmOFBtsvk

I am also wondering about the same thing. If you found a fix then please do let me know. thanks in advance :)