So, after some further digging, I discovered a couple things.

You have to actually assign the tunnel to an interface The MacOS Wireguard app doesn't support .ddns.net domains

Thank you for your help, once I assigned the interface correctly everything worked like a charm.

@bob-dig Yes, I can ping the domain name and receive a response from the firewall.

@gianpaoloracca UPDATE:
you can scroll dragging the column header.
So it's clunky but it works.

@unififcf said in Block Internal vLan from accessing Web UI:

they said it is a TrueNAS

Ah - yeah they do not have a "gui" to admin it, but you can for sure configure ipfw on it and manually setup the rules. Haven't played with that in long time.

But ipfw can be its own learning curve for sure - yeah best to move that to different vlan than all your users and just use pfsense.

@steveits Thanks again. I will try it one more time. My hot spot has a different subnet than the internal networks. It seems really strange that I can't ping my hot spot from either on of my internal networks.

Thanks

@craigerr1 is P2P? Mobile?
Have u open the rules in both sides to allow traffic on your firewalls->rules->ipsec?
Regards!!!

@johnpoz Thank you so much again. Understand all.

Couple of clarifications:

Yes, understood, I was looking to be able to access pfsense and the LAN, but not the internet, in this instance. Either way, everything you said helped clarify it for me and I both understand it and got it configured and working. :))

2a. Mine is manual, but yes, great points and idea.
The allow rule you are referring to, would be an allow any and the gateway or default gateway correct?

Correction: Vlan 1 includes all ports as members, then port 1 (trunk) is tagged in every vlan. Is that correct configuration?

Also, on one of the switches I am looking at (all are good, one is high-end) I noticed that VLAN 1 (under its VLAN ID tab in membership), is an untagged member in every port as well. This includes ports with the assigned untagged VLAN also. That is incorrect?
Should only be the vlan assigned to that port untagged, correct?

Okay, and if a block egress rule in floating, that would go on the WAN or other gateway as previously discussed, correct?

edit: 1 neither tagged nor untagged now in ports with other vlans untagged on them. All seems to be working, so thinking that is the correct config. :)
Therefore, now not all ports are members on vlan 1, but port 1 (trunk) is tagged on each vlan on other ports.
ex: VLAN ID. ** Port Member
1 ** 1 17 27 (not a member of ports with vlans assigned untagged)
10 ** 1 2 (vlan 10 U on port 2)
Port 1 tagged on every vlan
(formatting issue so had to use * to separate rather than columns)

@johnpoz Okay, all makes sense as always from you. Thank you.

And yes, pfblocker is definitely on the list to learn and setup.

Also: I just setup a new switch and it has brought me to one last issue I'm having trouble with regarding management and isolated LAN. Seems to be of interest from the posts I've read, but no real answers I've seen, so I am going to start another thread, easier to find related topic for others, with last questions for you. Hope you do not mind...

Very thankful for this discussion. Provided a much greater understanding of many things and overall.

For those reading: As to this specific issue, one that I saw many posts about, but this solution I have not seen:

Just found this under logs-->firewall-->settings. I tested it and worked for the noise. Just don't know if will be losing any other and important logging with it. Looking at default block rules I do not think so, but not sure.

Screen Shot 2021-09-28 at 08.20.10.png

@peter_apiit said in Not able to ssh to outside world (WAN):

connect my company jumphost using ssh

Can you change the settings of this ssh access ?
Change the '22' port to '2222' and you'll be good.

@bob-dig
I temporarily disabled my feed and added reddit.com and www.reddit.com to the DNSBL Custom_List and the website (and others) is still not blocked. (Yes, I did a force update all)

I have tried on different computers on the network and they can still access it.

I have also tried on three different browsers.

I am really confused why some sites are blocked while others are not.

Turns out I need to "sudo" with my dedicated user for the command to work. Like this

sudo easyrule block lan 192.168.1.21

Musste leider feststellen, dass "meine" Lösung wohl nur eine gewisse Zeit funktioniert. Irgendwann scheint es so, dass Windows den "ersten" DNS-Server nicht mehr nutzt und daher interne Namen nicht mehr auflöst.
Habe daher vorerst auf IPs umgestellt.

@jack7076 transparent squid does not work with policy routing. Squid binds to wan. Policy routing is done before it reaches wan

@NOCling @the-other ,

das mit dem VLAN ist ne gut Idee, ich muss mir erstmal den switsch anschauen.
(Ist ein kleiner HP 8 Port Gigabit switch)

Werde mir das auf die todo Liste setzten wenn ich mal wider vor Ort bin.

Wen der VLANs kann werde ich mich ggf. wegen der Konfiguration nochmal melden.

Gruß Peter

edit:
on the SG-3100 I have determined that I did not have the switch ports assigned/enabled to any vlans and after that it gave me DHCP on the lan ports and vlans. however I am still with the issue of some devices getting IP's and some not, on the same laptop over Wi-Fi nothing wired something. My travel AP does not support vlans so it has to be on the base level. and none of my non-Mac computers seem to be getting DHCP. And I don't know what caused it but I managed to crash my old router and ALL INTERNETs last night plugging in the new one to do a test. I went out and bought 4 manageed switches so I could break out all of my VLANs to test, and it was the only ez way to solve ingesting my multiple travel WAN VLANS ( local lan, Wi-Fi, Wi-Fi hotspot, wired LTE modem).