@steveits said in Geoblocking the world except for home:

@nogbadthebad Since you showed "alias permit" just be aware that reportedly de-dupes across other permit or deny lists. There was a thread last year sometime where someone pointed out IPs were being removed. Alias Native will leave the lists unchanged.

Cheers I've changed them :)

@akinori said in Allow traffic:

going to let traffic coming from LAN interface going out to WAN and vice versa?

By default pfSense will pass all traffic out and in on the LAN interface. WAN blocks all inbound traffic by default and will allow all outbound traffic without any special rules.

@tbr281 said in Block redirect:

Just wish it would redirect it.

Even "dirty websites" use TLS these days. Easy to recognize, their URL starts with https://

Without drastic measure on your LAN, that is, all your web visiting devices and pfSense, you can't redirect https://"dirty websites" to https://DuckDuckGo
Your browser won't allow this.
The test : is the host name "dirty websites" present in the certificate obtained ? will fail.
Have a look :

e2e336b4-a7bf-4b88-ab68-5e617416ed3b-image.png

That's doesn't look like "dirty websites" : your browser will refuse the connection.

If it was possible, you would also be able to redirect https://some-bank-acess-you-use to https://some-bank-access-you-use, and because you control some-bank-access-you-use (and your site looks identical to some-bank-acess-you-use), now you get the access credentials.
And five minutes later you can access https://some-bank-acess-you-use with the credentials you've obtained, and do what you want.
The thing is, why would you ask if something if possible if you don't want it to be possible ?
After all, https://"dirty websites", or https://facebook.com or https://some-bank-acess-you-use or https://some-bank-acess-you-use, for your PC, switch, pfsense, upstream routers of your ISP etc, its all the same : a connection to some server over port 443, TCP.

@modesty said in How to open UDP port 1883 to IoT Cayenne my devices:

My IoT device is connected to my LAN (WiFi) to 192.168.0.52 (static) and is sending packets to my Cayenne dashboard.

So allow the packets to the dashboard IP instead of the pfSense interface IP. At destination select single host and enter the dashboard IP.

@alexhen
You cannot schedule NAT rules.

You have scheduled the associated firewall rules though, but even if these rules are disabled, the NAT rules are still active and do what they meant to do and the first one wins.

Not really sure what to try to achieve with this idea. If you just have two internal servers listening on port 80 set up HAproxy. Doing so you can also let HAproxy do the lets encrypt stuff.
Also you can run a proxy on one of the backends themself.

@atxcoder you need a Web Application Firewall (WAF) to do that, pfsense FW rules block at the ip layer. x-real-ip is application layer. The traffic is allowed because it came from 10.0.10.4.

pfBlockerNG and the ASN numbers, PfblockerNG will also import JSON but you can't create create a single alias with IPv4 & IPv6.

Screenshot 2022-09-14 at 08.41.28.png

https://db-ip.com/as15169-google-llc

@adminproconer said in Firewall rule problems. (Client-to-client forward):

Where should I start troubleshooting the issue?

With the network settings and firewall config of the concerned device.

Ensure that all devices in both subnets use pfSense as gateway.

If you can access a device from within it's own subnet, but not from another network segment check its firewall and ensure that it allows access from outside.

Note: simply changing the terminal settings to send ^H instead of BKSP is not a universal fix.

For example, when I did this (iTerm2) I noticed that when ssh'ing to a new host and getting the prompt to accept/reject host keys, I can no longer backspace properly. Instead of deleting, it prints the literal ^H

32683b3b-8f19-4633-a540-f7628ecb76f9-image.png

@cool_corona said in killing existing (specific) fw states when rule change from disabled to enable:

d the dropdown in "schedule" is empty (always none).

So, what I'm looking for is that exactly not what I'm looking for :)

As mentioned, what I'm looking for is the ability to run a specific task when a rule is enabled or disabled. Not a schedule !

I you want a schedule, go under firewall-> schedule, create your schedule and then go back where you took your screenshot from and assign that schedule :)

Your post is not entirely clear. Perhaps it is a language translation issue ???

Are you saying that now your pfSense box is behind some kind of double-NAT? You must eventually have a public IP in order to route traffic (not an RFC 1918 address). However, if your pfSense box now communicates with some upstream host that in turn provides a NAT to some type of public routable IP, then your Snort rules update should still work.

I assume other Internet traffic through the pfSense box works?? Or do you really mean to say you have isolated this pfSense box from the Internet? If that is the case, then there is no method for an offline update in the Snort package. It requires Internet access to update its rules.

@quasaur So you mean having a single supernet broadcast domain with e.g /22 mask and have many / 24 "subnets" with a /22 mask and single gateway?
If yes, it can be done, BUT the issue would be tha you need to manage all mac addresses manually.
It can be done but it is very cumbersome, especially in the long run.
You are better off segmenting your lans with vlans and use single dhcp on pf to manage them all.
You cant have rules between them as long as they are on the same physical interface too

Hi @Baker0052 keen to share your haproxy conf. I have the same problem and cannot figure it out.

@leonroy said in Can't create IPv4+IPv6 Firewall rule with an alias:

What I ended up doing was sticking my PiHole IP address in an Alias as well and setting that as the Source alias. Not sure if that's the best way of doing it but it worked...

If your PiHole should answer IPv6 and work with IPv6 it needs an IPv6 address. Without that makes no sense, then you can simply block all IPv6 alltogether. If your Pi has IPv4 and IPv6 then that's the right way, put both into the alias and use it in rules.

That said I wouldn't work with invert rules but that's my approach.

@jimp said in Support for IPv6 firewall entries with dynamic delegated prefix and static host address:

While some people choose to only allow specific source hosts to specific destination hosts in a DB net, usually people don't get that fine-grained, either because the sources need to reach most if not all the resources in the target network, or because there aren't that many to bother with being that specific. Either way if someone has to get that complex with rules it's highly unusual for them to be using any kind of dynamic addressing like prefix delegation.

Now that I can completely agree with! But may I suggest that you name the feature in another way? As this works with and without prefix delegation, and is more concerned about using a shortform (host part only) on interfaces.

This is based on that I only understood the limit, when I read the sourcefile, and realized it did not use my PD, but the network the interface was assigned even if it was static.

edit:
on the SG-3100 I have determined that I did not have the switch ports assigned/enabled to any vlans and after that it gave me DHCP on the lan ports and vlans. however I am still with the issue of some devices getting IP's and some not, on the same laptop over Wi-Fi nothing wired something. My travel AP does not support vlans so it has to be on the base level. and none of my non-Mac computers seem to be getting DHCP. And I don't know what caused it but I managed to crash my old router and ALL INTERNETs last night plugging in the new one to do a test. I went out and bought 4 manageed switches so I could break out all of my VLANs to test, and it was the only ez way to solve ingesting my multiple travel WAN VLANS ( local lan, Wi-Fi, Wi-Fi hotspot, wired LTE modem).

If you set pfBlocker to "native alias" instead of block, that will just create an alias and you can create your own block/allow rules however you want them.

@mickman99 Sorry mal wieder die späte Rückmeldung. Habe jetzt Urlaub und kann mich dem Thema wieder expliziter widmen.

Tatsächlich wird der Präfix einwandfrei auf die Interfaces verteilt und stimmen auch mit dem Präfix mit dem der FRITZ!Box überein. Laut Log der FRITZ!Box wird das verteilte Netz an das LAN Interface auch erkannt und als Exposed Host freigegeben.

Ich vertraue allerdings der Firewall der FRITZ!Box nicht so ganz. Ich richte parallel bei einem Nachbar einen OpenVPN Server über IPv6 ein. Auch dort wird der eingehender Verkehr trotz Exposed Host (natürlich nur zum Test so freigegeben) rejected. Sinn macht das nicht.

Zusätzlich ist bei meiner pfsense das Problem aufgetreten, wenn viele Daten auf einmal verarbeitet werden müssen, dass der interne DNS Server abschmiert. Da habe ich auch die Vermutung, dass es an der FRITZ!Box liegt. Der Log der Fritte verrät da allerdings nicht so viel...

I will check it in the evening. A t this time only linux machines are there and I don't want to allow the windows machines to serve some services.

Anyway, LAN network doesn't know anything about VLANs, where the host to be connected from VLAN20 is located ....

@Derelict I think i got it to work. After i set the default gateway manually to the VPN and not automatic and saw that it worked,
i transfered the Flowing Rule i made for the outbound traffic to the Lan interface.
With the new knowledge of your help and the help of viragomann i changed some tiny things in the firewall rule.
After that i changed the default gateway back to automatic and know the outbound traffic takes the vpn and everything works.
I even rebootet the firewall to get lost of the states but everything still functions as it seems.

Thank you so very much for your dedication and your help.

@johnpoz
I see. Thanks for your help as well! Appreciated.

Added to what @NogBadTheBad said :

Start up a new OpenVPN server on - example - port 1195.
Assign this user - his credentials - to this VPN.
Assign the OpenVPN interface of this instance to an Interface.
Now you can use this firewall for this interface to fine-grain the access on IP "destination".

When a user comes in using a VPN, he can access - typically - your LAN(s). But all devices on these LANs have their own access codes.
The server your user should access has it's own user privileges set up, right ?

Btw : put your server on a DMZ ....

@DavidGA said in Multiple problems with NAT rule creation UI:

You apparently can't create NAT rules for destination port ranges

Huh? Sure you can..

portforwards.png

But yeah concur with JeGr if you were going to do that you would just use a 1:1 nat.

I don't have a mac to test with - but for sure could test it with multiple browsers on windows or linux..

Let me fire up safari on my iphone or ipad..
edit: Just fired it up on my iphone and works just fine.. When selected network as address the box did turn gray, but just clicked on it and it went white and could enter stuff..

Technically, these are NOT called rule names, but descriptions instead.

The description of my firewall rules (on LAN is where I'm logging) are in my firewall logs. If you've got no rules created, you'll have to make some that actually log the data. After that, if you look in Status -> System Logs -> Firewall in the Rule column it lists the rule description(s).

There's also the 10 digit unique (I think) tracking ID code to make them quick to find or index.

The only restriction listed for rule descriptions is max of 52 characters. Don't know anything about special characters, however. Here's some talk about some description stuff.

https://forum.netgate.com/topic/92254/firewall-rule-description-length-limitation

Jeff

It might be an edge case we can't really detect well since it may be valid in some other way, even if it isn't an IP address (e.g. a hostname, other alias name, etc)

Solved..... I spent 2 weeks to find this issue, posted here... then I cleared my cache and it did the trick.

The Suricata GUI package on pfSense is designed to make the deployment of an IDS/IPS somewhat simpler for users new to such technology. If you are at an advanced level where you want to integrate with multiple other systems and construct on-the-fly rules using script tools, then you really should abandon the GUI part of the package and simply use the Suricata binary itself. You can do that by simply installing Suricata from FreeBSD ports. You are going to have to install all of the other scripting language dependencies from there anyway.

I am not in favor of loading up the Suricata package with a ton of new dependencies when the vast majority of users would likely not need them for a basic IDS/IPS. I'm talking about things like Python, Go, (and heaven forbid one old suggestion even needed Java! Can you imagine the security holes your firewall would have with Java installed on it?).

There is a Github site for all of the pfSense packages here. You are free to submit pull requests there. I usally am asked for my opinion, but the pfSense developers have final say in what is accepted into the package.

Using LAN is OK as long as you understand that you almost certainly shouldn't put anything but other routers with full infrastructure routing knowledge on LAN.

Tried killing the firewall states ?

@chris4916
Merci pour les infos, j'ai entrevu ce genre de possibilités dans différents articles sur pfsense ces derniers jours, il me semble effectivement qu'il y a du potentiel.