@steveits
Pfsense firewall configured in transparent mode. Created a bridge interface and management IP address is given to this interface by rule with allowing port 443 (HTTPS). Firewall doesn't go accessible over the management IP address if there is a shutdown/restart to the VM even though the said rule is present. Is there any configuration to retain the web interface accessible over the management IP address if the VM goes for a restart or shutdown?

@viragomann & @Gertjan

Thanks for your help!

Managed to solve it with a floating firewall rule! I only tried to block it from the interface that I thought the traffic originated from first. But now I tried to add a floating rule that blocked the traffic from all interfaces that shouldn't have access to it, and it worked!

UPDATE:

I've been doing some tests trying to know where the problem is and it seems that finally it comes from WAN interface. I configured first WAN but until I configured the IPSEC tunnels the problem didnt appear.

Today I reinstall a fresh pfsense and first of all I configured the tunnels with no problems and when I configured the WAN the problem start. If I enable WAN with DHCP or Static IP without a gateway it works everything fine, when I choose a IPv4 Upstream gatewy then return the problem.

At this point this topic can be closed.

@gertjan I will attempt this tonight and report back. Thanks.

I assume you only have one NIC in that device?

You can still leave LAN assigned as the parent interface directly and assign VLAN99 as an OPT interface.

Steve

@paanvaannd said in Unable to modify (i.e., install, remove, or reinstall) packages via Web interface + Snort installed but not showing up in Web GUI:

Thank you for taking the time to help and explain, @bmeeks!

Per your and others' comments in that linked thread, I'm not hopeful that Snort/Suricata would have much hope of working on my SG-3100 even after 2.5.2 rolls around (I'd link directly to your comment but I can't figure out how to copy a permalink on this site...) so I may just upgrade to the SG-6100 since it's Intel-based.

Yes, the SG-3100 is not the best choice right now for the IDS/IPS packages. It is due to the 32-bit ARM processor chip in that box. Because of the 32-bit ARM processor and the lack of Rust support for it, it is not possible to run any version of Suricata on that hardware newer than 4.x. That is two versions behind, and no longer supported by the Suricata team.

Hard to see how that could be. The packet is arriving over the IPSec. TCP Syn packets are tiny anyway. But if you've seen something similar before I guess....

But that pass rule should match and clearly isn't. IP Options on it or something odd?

Steve

Internal scan is only if your service provider... And you sure and the hell do not need to make the web gui of pfsense available on the networks that are involved in the PCI..

For example - we are service provider, we host stuff that is PCI for customers... We don't need to scan the management vlan, only need to scan the networks that are directly involved in the processing of the payments..

We are not scanning every single network in the company... You only need to scan the network related to your pci environment.. If your switches and or routers and firewall interfaces are available on your pci networks - your doing it wrong!

@DavidGA said in Multiple problems with NAT rule creation UI:

You apparently can't create NAT rules for destination port ranges

Huh? Sure you can..

portforwards.png

But yeah concur with JeGr if you were going to do that you would just use a 1:1 nat.

I don't have a mac to test with - but for sure could test it with multiple browsers on windows or linux..

Let me fire up safari on my iphone or ipad..
edit: Just fired it up on my iphone and works just fine.. When selected network as address the box did turn gray, but just clicked on it and it went white and could enter stuff..