@Gertjan said in Change TTL to Block Internet Sharing by NetShare or Bluetooth:

@horasjey

Ok did some searching for you.
Found this Change default TTL value

That was true in 2018, nothing, afaik, changed since.

Global answers : pfsense change TTL.

edit :

@Gertjan said in Change TTL to Block Internet Sharing by NetShare or Bluetooth:

Not sure if it possible with pfSense.

That's a long answer for 'dono'.
So how would I be able to answer :

@horasjey said in Change TTL to Block Internet Sharing by NetShare or Bluetooth:

here is the TTL config on the pfsense device sir?

?

thanks @Gertjan

@Anaerin
It looks like the issue is Wireguard. Disabling Wireguard, removing it's interface, tunnel and peers removes the rules.

Quite why Wireguard is grabbing the wrong subnet for the VPN subnet and redirecting it to the local net is an issue.

Great job, and you also learned port forwarding, ACL ordering, alias creation and much more. I love this forum you can learn so
much. Now you just need a OpenVPN configured with a NAS server for private cloud use

@bmeeks said in Allow outgoing traffic based on Active Directory group:

I would suggest setting up a pfSense instance in a virtual environment and experimenting with some of the options. Pretty easy to do in something like VMware or Proxmox (or even Hyper-V).

Yes, this is exactly my plan. I installed a 2.7.0 pfSense, a 2012 R2 DomainController, and two W10 virtual machines on my lab, just to test everything before touching the production environment.
Thanks, and best regards,
HeCSa.

@viragomann must be a bug can it be checked please.

Do you have pfBlockerNG installed and configured to autmatically manage its rules? If "yes", then that's probably why. It will rearrange firewall rules when it performs an auto update.

@johnpoz said in Port Forward does not work..:

But completely agree with you - in my multiple statements that nat reflection is an abomination

That's the way I know you. 😊

As I mentioned, I didn't read all posts and I missed the reason for doing NAT reflection.

Could it be set flags SYN ACK ? and or state type keep or sloppy ?

@mameen-lk said in Unable to RDP using pfSence:

Is there any option where we could bypass for a specific host or add a rule in squid proxy

Sorry, but I've never used the Squid packages on pfSense. However, I would suspect there is a mechanism for implementing a "white list" of trusted IP addresses. Most packages that do some level of blocking provide a means for whitelisting.

You could try posting in the Cache/Proxy sub-forum which covers Squid related questions: https://forum.netgate.com/category/52/cache-proxy. Users there will be familiar with the various Squid packages available on pfSense.

@johan-2 Ah. Not using pfSense as the gateway, then. :)

@rennit I guess? With VLANs AFAIK there are two ways to get the VLAN assigned. Either something assigns it (AP, switch) or the device's network config has a VLAN. With the latter, someone with knowledge can change, add, or remove the VLAN tag. If the switch allows the new-VLAN packet on that port then it gets passed on. Normally that's blocked by a managed switch, but generally unmanaged gigabit switches will pass packets without regard for VLAN.

Otherwise something would need to be removing the tag from the packets, in order to cross over to another VLAN.

@viragomann
that did work, anything else I can try?

@yquirion I was surprised as well and was hoping it did not change my configuration which it did not. I was not aware about querying the database so I learned a very nice thing from you as well.

@viragomann & @Gertjan

Thanks for your help!

Managed to solve it with a floating firewall rule! I only tried to block it from the interface that I thought the traffic originated from first. But now I tried to add a floating rule that blocked the traffic from all interfaces that shouldn't have access to it, and it worked!

@przemyslaw85 dzięki za odpowiedź. Jedynie zacząłem używać czasami wireguarda na komórce. Do stronki www mam wykupiony hosting. Póki co mam zintegrowaną kartę intela + tplinka ale chcę kupić właśnie jakąś intela. pfBlocker jeszcze nie konfigurowałem (używam snorta) Mój PC (router) to dell optiplex 7010 i5-3570 16GB ram i SSD 256GB

Pozdrawiam

@jbeez fixed... definitely user error. I was restoring a filter.inc from a prior version. Restored the proper one and its good to go.

Are you running pfBlocker? Snort/Suricata?

Anything show as blocked?

Steve