Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help a newbie - Please?

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      estwing
      last edited by

      I'm very new to this, having fun learning!

      I want to have my Netgate 2100 set up so that each of the four physical ethernet ports act as an independent LAN, completely isolated from the other LAN's, but with access to the internet.

      I have installed pfBlockerNG which seems to be working fine

      Everything seems fine except I can't get out onto the internet at all, I have this error message.............

      Filter Reload
      There were error(s) loading the rules: /tmp/rules.debug:74: syntax error - The line in question reads [74]: nat on mvneta0 inet proto tcp from 192.168.100.0/24 to 192.168.100.20 port -> (mvneta0)
      @ 2023-09-24 13:31:49

      I'm close to doing a reset and starting again, that would seem defeatist, any help would be appreciated?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        That looks like a NAT reflection rule that is somehow missing the port and is invalid.

        Do you have port forwards configured?

        Do you have NAT reflection enabled?

        I'd first disable NAT reflection if you do and see if that removes the invalid line.

        Steve

        1 Reply Last reply Reply Quote 0
        • E
          estwing
          last edited by

          Appreciate your response thank you.

          I don't understand what you've said, I'm well outta my depth with this.

          I'm doing a factory reset and start again, moving forward a bit more slowly this time, try and understand what I'm doing, rather than just mindlessley following a set of instructions!

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            NAT reflection is explained here:
            https://docs.netgate.com/pfsense/en/latest/nat/reflection.html

            It's not enabled by default but that invalid rule line looks like it might have come from that somehow. Unclear how it could have happened though.

            1 Reply Last reply Reply Quote 1
            • E
              estwing
              last edited by

              Thank you it makes sense to me, that'll be me broken it, no surprise there!

              I had an earlier attempt at TLS over DNS to Cloudflare, I abandoned ship at needing a cert from Acme, this did mean I had fiddled with DNS settings as well as other settings.

              Clearly a far more methodical approach is required, with lots of backups so if I can't make something work, I can restore to a working setup and try again.

              GertjanG 1 Reply Last reply Reply Quote 1
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                You don't need a cert just to use DNS over TLS. Just enable that in Unbound (the DNS resolver) and set it in forwarding mode. Then set Cloudflare's servers in System > General Setup.

                1 Reply Last reply Reply Quote 1
                • E
                  estwing
                  last edited by

                  I got that working on my Mac which is wired and has wifi to the internet, it's also working on my MacBook which is wifi only, thank you.

                  I tested it with this..........

                  https://developers.cloudflare.com/1.1.1.1/check/#:~:text=Enter%20https%3A%2F%2F1.1.1.1,center%20you%20are%20connected%20to.

                  But it isn't working on my iPhone or my iPad, which are both on the same wifi as the MacBook, they are attached to a router in AP mode which in turn is plugged into the Netgate 2100.

                  It's no big deal as Cloudflare have a nice little app, which does DNS over TLS on the iPhone and iPad and the above link confirms it.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Those devices may not be using pfSense for DNS directly. In which case you would need to redirect or block other DNS if you needed that.
                    https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @estwing
                      last edited by

                      @estwing said in Help a newbie - Please?:

                      TLS over DNS to Cloudflare

                      Like : Cloudflaire Docs : DNS over TLS

                      So : step one :

                      3147e668-d94b-454f-b75c-3c37579a32a0-image.png

                      Step two : Services > DNS Resolver > General Settings

                      Make sure these are checked - or un checked :

                      223f9255-c812-46c0-8615-daeeda4e3bff-image.png

                      If ok, validate - and done.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 1
                      • E
                        estwing
                        last edited by

                        Appreciate the comments, at the moment I can't get this working, my best guess is I don't know what Python is and I don't have any Python module scripts.

                        My goal with this was some extra security for everything in and out of my house, without the problems of using a VPN like Proton or Surfshark or other such stuff, which all seems pretty hopeless!

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          You don't need to enable python mode unless you're using pfBlocker.

                          E 1 Reply Last reply Reply Quote 0
                          • E
                            estwing @stephenw10
                            last edited by

                            @stephenw10

                            That's interesting, I am using pfBlocker!

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              OK, it's generally better to use python mode in that case especially if you have a large number of lists. It's a lot faster. Either should work though.

                              1 Reply Last reply Reply Quote 0
                              • E
                                estwing
                                last edited by

                                I do appreciate your help with this, I'm in way over my depth now, I can't do Python!

                                Only a few weeks ago I didn't have any idea what port forwarding was, never mind NAT. If I try and run before I can walk, a bad habit of mine, it won't end well. Hopefully I'm already a lot more secure than your average home user.

                                Sometimes the only way to learnt something is to get your hands dirty, so I bought a Netgate 2100, I'll keep at it, I will get my head around this, eventually!

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  You don't need to know anything about Python. That just sets the module Unbound is using to import the lists from pfBlocker.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.