pfSense Part 3: Controlling Routes | Level One Techs

Thanks for watching our videos! If you want more, check us out online at the following places:
+ Website:
+ Forums:
+ Store:
+ Patreon:
+ L1 Twitter:
+ L1 Facebook:
+ Wendell Twitter:
+ Ryan Twitter:
+ Krista Twitter:
+ Business Inquiries/Brand Integrations: [email protected]

This is a companion discussion topic for the original entry at

First: Nice Video :slight_smile:

But: Disabling IPv6 for "security"? I'm glad to see more and more IPv6 on the net (also IPv6 is different but absolutely not harder than IPv4 in my opinion).

And I think you also have to do the port-forwarding. The traffic is routed outside via the wan connection but the problem of the NAT is not eleminated ... *cough * IPv6 ( or at least UPNP )


The windows 10 telemetry list referenced in the video is this


here's the list cleaned up without the extra crap


I edited your post, if you don't mind?

1 Like

Am I the only one that finds it weird you need to assign a static IP to a MAC-Address to be able to block/allow all traffic from it? Is there a reason why we can't just plug in the MAC address and say block/allow everything? Is it easier to route?

Mac addresses are not the right place in the OSi model interestingly.


What are the chances of an OpenWRT quick run-through video is made?

1 Like

You should be able to block access by MAC address by specifying MAC Deny in the MAC address control advanced options under your DHCP service.

@wendell mentioned the OSI model. The reason you cant filter by MAC on the firewall is because the firewall works and filters on IP addresses at Layer 3 and above, where as MAC are at layer 2.

Using the MAC Deny option will prevent the machine from getting an IP address all together. So you have two options.

MAC Deny if you don't want the device to get an IP from your network at all.
Or DHCP static map and filter the IP on the firewall, give your internet network access but the device cant access the internet.

The second option (wendells) make more sense as if its plugged into your network you probably want it to have an IP address.

In both cases, it doesnt stop the machine from accessing the internet with a static IP that it assigned its self (but this usually required manual input).

1 Like

I am trying to set up firewall rules for CS:GO. (On my VPN I actually have a better ping but crazy lagspikes (btw. why is that?).)
So I rerouted all outgoing ports 27000-27050 traffic over WAN gateway. This is my only firewall rule, rest is free to flow.

Game does not work anymore :wink:
Steam does not connect(startup online) anymore.

How does one usually troubleshoot?

I recognized 443 traffic in the firewall log, so the game seems to contact the matchmaking servers.
...but I dont want to have all 443 on WAN... what do I do?

Thank you very much for the once again great video.
Thank you for addressing the Microsoft telemetry.

1 Like

In that case you could create a separate interface for these devices and block certain access on that interface in general.

1 Like

You could yes. Put them on another network, interface, or vlan and only allow them access to the internal networks.

1 Like

Is there any way to dynamically update the MS telemetry list so that it remains current without user interaction?

EDIT: To some degree, I may have found my answer. There is a whole thread on this topic already so I'll suffice it to say that the below linked response shed some light on the easy way to do it in pFsense. However, the answer gets much more complicated when you read the entire thread. Seems that you'll likely be fighting a losing battle for now.

1 Like

Didn't talk much about blacklisting vs whitelisting or how to approach putting together a firewall policy.

I know it would be confusing if you installed a new firewall and everything stopped working but in a lot of ways that is what I expect from a firewall. Everything closed except those ports that I have explicitly opened.

Is there an easy way to configure Pfsense to blacklist all ports and then add in the ones that are desired explicitly?

Post Removed: Forgive me, I'm still learning.

Firewall->Rules->LAN: Delete the "Default allow LAN to any" rule
Firewall->Rules->WAN: Add a "Block any to WAN rule"

@Whizdumb Floating rules are not above the LAN.Anti-Lockout Rule?
I do not understand how I again managed to lock myself out by enabling pfBlockerNG dnsbl.

That is how pfsense works by default, if you delete the default allow any to any rule then everything will be blocked. If you want to set up your firewall this way then make allow rules for the ports you want, and when you are absolutely sure it's set up properly delete the default allow any to any rule and the anti lockout rule, but if you mess you you're going to have to do a factory reset to get back in.

The rules are processed from top to bottom on first match, that means that as soon as traffic matches a rule no other rules take effect, so keep that in mind when setting up your firewall. Also remember that the firewall rules are for traffic entering an interface, so the source address is always something connected to that interface and the destination address is always something on a different interface or the interface address itself. So on the LAN for example there is no difference between setting the source to LAN network or any, they will both do the same thing, and the destination has to be something on the internet or on a different network, or the LAN interface address on pfsense, but it can't be another LAN address.

These are my LAN rules as an example of a firewall which is set up to block everything and only allow specific ports, although devices on my lan are less restricted than devices on the other networks.


This isn't needed as it's already the default action. You only need to make block (or deny) rules if there is an allow rule bellow it which would match the traffic. If there's no rule that matches then the default action of the firewall is to block.

Floating rules are complicated, but I'm pretty sure they are processed first, so they would be matched before the LAN anti-lockout rule. I tried a while ago using more floating rules rather than having similar rules on multiple interfaces and they appear to be matched from bottom to top in some cases and top to bottom in others and sometimes before or after the regular interface rules. So I gave up. Now I only use floating rules for match only rules because it's much easier to understand what's going on with regular rules.


Forgive the newb clarfication question, but now I'm totally confused. Are you saying that even after traffic matches a rule in the list, that the firewall continues to filter that rule down through the rest of the list to see if it matches?

For example: Say I create a rule that states: Block Any IP Outbound on port 80
Then I create a rule below that that states: Allow Outbound on port 80

It will still allow the traffic through on because it matches the second rule in the stack?

No, it's the opposite, the rule that matches first takes effect and all other rules are ignored. So order is very important. In your example you'd want to have the allow rule on top of the block rule so that it would allow and block everything else. With the block rule on top then everything will be blocked including