Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Since 25.11 no ICMP Rule works

    Scheduled Pinned Locked Moved Firewalling
    18 Posts 7 Posters 611 Views 10 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sysadminfromhell
      last edited by

      Hello,
      since the Upgrade to 25.11 today my Monitoring Software reports it cannot ping stuff anymore.
      Before the Update everything works. No Rule changed.
      507a0731-7408-4bf0-b794-31e9bc54605c-image.png
      5b91c73d-b48a-4a33-99fc-7df3415c20a8-image.png

      Any idea why or how to fix this?
      PS: I tried with a seperate Rule to fix that but it also didnt work:
      37fa8373-dfd7-4545-908e-7d5d69037c81-image.png

      Kind regards,

      1 Reply Last reply Reply Quote 0
      • S Offline
        sysadminfromhell
        last edited by

        Sorry for the push but I cannot Monitore any of my services on a icmp level.

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG Offline
          Gertjan @sysadminfromhell
          last edited by Gertjan

          @sysadminfromhell

          can you show more details ?
          You've hidden your interfaces names, so 'we' don't know if its WAN, or LAN, or something else.
          What in front of pfSense ?
          You can packet capture on the WAN interface and see if pfSense actually receives incoming ICMP packets, as it can't answer with a 'reply' if it never receives the requests.
          Etc.

          Example : I SSH connect to my dedicated mail/web server, a Debian box, somewhere in a data center, and ping to my pfSense WAN IPv6 :

          e8fb4cc7-ea53-4746-bba5-45f4f70f19b2-image.png

          root@ns311465:~# ping6 2a01:cb19:XXXX:a600:92ec:77ff:fe29:392a
PING 2a01:cb19:XXXX:a600:92ec:77ff:fe29:392a(2a01:cb19:XXXX:a600:92ec:77ff:fe29:392a) 56 data bytes
64 bytes from 2a01:cb19:XXXX:a600:92ec:77ff:fe29:392a: icmp_seq=1 ttl=245 time=22.8 ms
64 bytes from 2a01:cb19:XXXX:a600:92ec:77ff:fe29:392a: icmp_seq=2 ttl=245 time=22.2 ms
64 bytes from 2a01:cb19:XXXX:a600:92ec:77ff:fe29:392a: icmp_seq=3 ttl=245 time=21.0 ms
64 bytes from 2a01:cb19:XXXX:a600:92ec:77ff:fe29:392a: icmp_seq=4 ttl=245 time=21.0 ms
...

          ICMPv6 (IPv6 ping) receives a reply because I allowed on my pfSense WAN interface to allow ICMPv6 traffic with this :

          a95b2ff9-48e7-4f8b-9951-2485cfd418e0-image.png

          Btw : I also had to take care of my upstream ISP router, as this one, by default, doesn't allow ICMP traffic to enter. I had to allow this = add a firewall rule on that router also.

          Anyway.
          From where to where ?
          What services ?

          No "help me" PM's please. Use the forum, the community will thank you.

          S 1 Reply Last reply Reply Quote 0
          • S Offline
            sysadminfromhell @Gertjan
            last edited by sysadminfromhell

            @Gertjan Hey, thanks for the reply. I dont know which Infos you are missing but all are visible above.
            The Network is "VMNET" a different VLAN for the VMs (Hypervisors).
            The packages are received as seen in the 1st screenshot but denied from the default deny rule for some reason.
            I try to ping, in this case, the network interfaces of the firewall. So VMNET (172.16.24.1) and LAN (192.168,178.1)
            So in my case its the following:
            Interface Proto Port Src Dst
            VMNET icmp - 172.16.24.98 172.16.24.1
            VMNET icmp - 172.16.24.98 192.168.178.1

            Both should be allowed in the Rule "Allow KUMA everything", thats how it worked before the Upgrade to 25.11.

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG Offline
              Gertjan @sysadminfromhell
              last edited by

              @sysadminfromhell said in Since 25.11 no ICMP Rule works:

              The packages are received as seen in the 1st screenshot but denied from the default deny rule for some reason.

              Yeah, you're right - sorry :

              This :

              41d73700-d429-46e4-ba22-61e90641057d-image.png

              tells us that default 'hidden' block all rule (the 10000000103 rule number) blocked the ICMPv4 packet.

              This means that this

              08ed70ad-c652-4869-84af-747f4d0dc48a-image.png

              didn't 'match', so handling continued up until the final "block all was" applied.

              My advise : instead of IPv6 + IPv6 'together' make a separate IPv4 and IPv6 rule.
              Get also rid of this 'special case' :
              c1507e11-d386-409a-a9e2-0b248f4d1c60-image.png
              as it might create a condition that wasn't met, so 'no match'.

              More general : cut the issue in small sub steps - or sub rules, and you'll find out what blocks for what reason.

              No "help me" PM's please. Use the forum, the community will thank you.

              S 1 Reply Last reply Reply Quote 0
              • S Offline
                sysadminfromhell @Gertjan
                last edited by

                @Gertjan I did what you suggested but no change.
                45829e78-7f83-4b8f-8d98-afe976bb2af5-image.png

                6173b72e-07b3-46b3-b90f-ead0349043e7-image.png

                I really dont know why it does not work anymore...

                S 1 Reply Last reply Reply Quote 0
                • S Offline
                  SteveITS Rebel Alliance @sysadminfromhell
                  last edited by

                  @sysadminfromhell just to check try a filter reload and look for errors.
                  https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#ruleset-failing-to-load

                  Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                  Upvote 👍 helpful posts!

                  S 1 Reply Last reply Reply Quote 0
                  • S Offline
                    sysadminfromhell @SteveITS
                    last edited by

                    @SteveITS Sadly I did, there is no errors ... I maybe restart the Firewall later and try again. maybe something is off?

                    1 Reply Last reply Reply Quote 0
                    • tinfoilmattT Offline
                      tinfoilmatt LAYER 8
                      last edited by

                      When you screencap your ruleset, try not to leave your cursor hovering over any other interface 'tab' so it's clear which interface's ruleset is being captured.

                      1 Reply Last reply Reply Quote 1
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        What was the advanced setting you had on that rule?

                        It pretty much has to be not loaded or not matching. And it looks like it much match.

                        Try running: pfctl -vvsr | grep -a3 kuma to see what's actually running.

                        S 1 Reply Last reply Reply Quote 1
                        • U Offline
                          Uglybrian
                          last edited by

                          Would this be related? The 2aee is the wifi subnet. 9dfa is a i phone. This seems to happen randomly.
                          I will be looking into @4294967295 latter today. I have never seen that in the log before.

                          2025-12-19_07-36.png

                          2025-12-19_07-43.png

                          1 Reply Last reply Reply Quote 0
                          • S Offline
                            sysadminfromhell @stephenw10
                            last edited by

                            @stephenw10 said in Since 25.11 no ICMP Rule works:

                            Try running: pfctl -vvsr | grep -a3 kuma to see what's actually running.

                            Here you go:

                            pfctl -vvsr | grep -a3 kuma
                            [ Source Nodes: 0 Limit: 0 NAT/RDR: 0 Route: 0 ]
                            [ Inserted: uid 0 pid 0 State Creations: 0 ]
                            [ Last Active Time: N/A ]
                            @985 pass in log quick on ixl1 inet from 172.16.24.98 to any flags S/SA keep state (if-bound) label "id=1755082217" label "tags=user_rule" label "descr=Allow kuma everything" ridentifier 1755082217
                            [ Evaluations: 71613 Packets: 19683 Bytes: 10902490 States: 16 ]
                            [ Source Nodes: 0 Limit: 0 NAT/RDR: 0 Route: 0 ]
                            [ Inserted: uid 0 pid 0 State Creations: 644 ]

                            The option were "old" and not really used anymore. Somehow we still had them. So we removed them now. It was the IP Option and the any tcp flag opption. AS I said this was working until the upgrade.

                            tinfoilmattT 1 Reply Last reply Reply Quote 0
                            • tinfoilmattT Offline
                              tinfoilmatt LAYER 8 @sysadminfromhell
                              last edited by

                              @sysadminfromhell Show your Floating ruleset.

                              S 1 Reply Last reply Reply Quote 0
                              • S Offline
                                sysadminfromhell @tinfoilmatt
                                last edited by

                                @tinfoilmatt the roating rule-set:

                                ####################################

                                Floating rules defined by the user

                                ####################################
                                match quick inet proto icmp from any to any ridentifier 1679838905 label "id=1679838905" label "tags=user_rule" label "descr=Bufferbloat Ping Solution ICMP"
                                match quick inet6 proto ipv6-icmp from any to any ridentifier 1679838905 label "id=1679838905" label "tags=user_rule" label "descr=Bufferbloat Ping Solution ICMP"
                                match quick inet proto { tcp udp } from any to any port 7 ridentifier 1683452703 label "id=1683452703" label "tags=user_rule" label "descr=Bufferbloat Ping Solution TCP/UDP"
                                match quick inet6 proto { tcp udp } from any to any port 7 ridentifier 1683452703 label "id=1683452703" label "tags=user_rule" label "descr=Bufferbloat Ping Solution TCP/UDP"
                                match out on { pppoe0 } inet proto tcp from any to any ridentifier 1756761745 flags A/A dnqueue( 1,7) label "id=1756761745" label "tags=user_rule" label "descr=qACK"
                                match out on { pppoe0 } inet6 proto tcp from any to any ridentifier 1756761745 flags A/A dnqueue( 1,7) label "id=1756761745" label "tags=user_rule" label "descr=qACK"
                                match in on { pppoe0 } inet proto tcp from any to any ridentifier 1756761784 flags A/A dnqueue( 7,1) label "id=1756761784" label "tags=user_rule" label "descr=qACK INCOMMING"
                                match in on { pppoe0 } inet6 proto tcp from any to any ridentifier 1756761784 flags A/A dnqueue( 7,1) label "id=1756761784" label "tags=user_rule" label "descr=qACK INCOMMING"
                                match out on { pppoe0 } inet proto { tcp udp } from any to any port $MSTeams ridentifier 1702552225 dnqueue( 2,8) label "id=1702552225" label "tags=user_rule" label "descr=Priorize MSTeanms qVOIP Outgoing"
                                match out on { pppoe0 } inet6 proto { tcp udp } from any to any port $MSTeams ridentifier 1702552225 dnqueue( 2,8) label "id=1702552225" label "tags=user_rule" label "descr=Priorize MSTeanms qVOIP Outgoing"
                                match in on { pppoe0 } inet proto { tcp udp } from any to any port $MSTeams ridentifier 1756761028 dnqueue( 8,2) label "id=1756761028" label "tags=user_rule" label "descr=Priorize MSTeanms qVOIP INCOMMING"
                                match in on { pppoe0 } inet6 proto { tcp udp } from any to any port $MSTeams ridentifier 1756761028 dnqueue( 8,2) label "id=1756761028" label "tags=user_rule" label "descr=Priorize MSTeanms qVOIP INCOMMING"
                                match out on { pppoe0 } inet proto { tcp udp } from any to any tos 0x04 ridentifier 1716901067 dnqueue( 2,8) label "id=1716901067" label "tags=user_rule" label "descr=DiffServe TOS 0x04 (lowdelay) Outgoing"
                                match out on { pppoe0 } inet6 proto { tcp udp } from any to any tos 0x04 ridentifier 1716901067 dnqueue( 2,8) label "id=1716901067" label "tags=user_rule" label "descr=DiffServe TOS 0x04 (lowdelay) Outgoing"
                                match in on { pppoe0 } inet proto { tcp udp } from any to any tos 0x04 ridentifier 1756760777 dnqueue( 8,2) label "id=1756760777" label "tags=user_rule" label "descr=DiffServe TOS 0x04 (lowdelay) INCOMMING"
                                match in on { pppoe0 } inet6 proto { tcp udp } from any to any tos 0x04 ridentifier 1756760777 dnqueue( 8,2) label "id=1756760777" label "tags=user_rule" label "descr=DiffServe TOS 0x04 (lowdelay) INCOMMING"
                                match out on { pppoe0 } inet proto { tcp udp } from any to any tos 0x02 ridentifier 1716901115 dnqueue( 2,8) label "id=1716901115" label "tags=user_rule" label "descr=DiffServe TOS 0x02 (throughput) Outgoing"
                                match out on { pppoe0 } inet6 proto { tcp udp } from any to any tos 0x02 ridentifier 1716901115 dnqueue( 2,8) label "id=1716901115" label "tags=user_rule" label "descr=DiffServe TOS 0x02 (throughput) Outgoing"
                                match in on { pppoe0 } inet proto { tcp udp } from any to any tos 0x02 ridentifier 1756760815 dnqueue( 8,2) label "id=1756760815" label "tags=user_rule" label "descr=DiffServe TOS 0x02 (throughput) INCOMMING"
                                match in on { pppoe0 } inet6 proto { tcp udp } from any to any tos 0x02 ridentifier 1756760815 dnqueue( 8,2) label "id=1756760815" label "tags=user_rule" label "descr=DiffServe TOS 0x02 (throughput) INCOMMING"
                                match out on { pppoe0 } inet proto { tcp udp } from any to any tos 0x01 ridentifier 1716901129 dnqueue( 2,8) label "id=1716901129" label "tags=user_rule" label "descr=DiffServe TOS 0x01 (reliability) Outgoing"
                                match out on { pppoe0 } inet6 proto { tcp udp } from any to any tos 0x01 ridentifier 1716901129 dnqueue( 2,8) label "id=1716901129" label "tags=user_rule" label "descr=DiffServe TOS 0x01 (reliability) Outgoing"
                                match in on { pppoe0 } inet proto { tcp udp } from any to any tos 0x01 ridentifier 1756760924 dnqueue( 8,2) label "id=1756760924" label "tags=user_rule" label "descr=DiffServe TOS 0x01 (reliability) INCOMMING"
                                match in on { pppoe0 } inet6 proto { tcp udp } from any to any tos 0x01 ridentifier 1756760924 dnqueue( 8,2) label "id=1756760924" label "tags=user_rule" label "descr=DiffServe TOS 0x01 (reliability) INCOMMING"
                                match out on { pppoe0 } inet proto { tcp udp } from any to any tos EF ridentifier 1716900070 dnqueue( 2,8) label "id=1716900070" label "tags=user_rule" label "descr=DiffServe EF Outgoing"
                                match out on { pppoe0 } inet6 proto { tcp udp } from any to any tos EF ridentifier 1716900070 dnqueue( 2,8) label "id=1716900070" label "tags=user_rule" label "descr=DiffServe EF Outgoing"
                                match in on { pppoe0 } inet proto { tcp udp } from any to any tos EF ridentifier 1756760997 dnqueue( 8,2) label "id=1756760997" label "tags=user_rule" label "descr=DiffServe EF INCOMMING"
                                match in on { pppoe0 } inet6 proto { tcp udp } from any to any tos EF ridentifier 1756760997 dnqueue( 8,2) label "id=1756760997" label "tags=user_rule" label "descr=DiffServe EF INCOMMING"
                                match out on { pppoe0 } inet proto { tcp udp } from any to any tos af21 ridentifier 1756807341 dnqueue( 2,8) label "id=1756807341" label "tags=user_rule" label "descr=DiffServe AF21 Outgoing"
                                match out on { pppoe0 } inet6 proto { tcp udp } from any to any tos af21 ridentifier 1756807341 dnqueue( 2,8) label "id=1756807341" label "tags=user_rule" label "descr=DiffServe AF21 Outgoing"
                                match in on { pppoe0 } inet proto { tcp udp } from any to any tos af21 ridentifier 1756807354 dnqueue( 8,2) label "id=1756807354" label "tags=user_rule" label "descr=DiffServe AF21 INCOMMING"
                                match in on { pppoe0 } inet6 proto { tcp udp } from any to any tos af21 ridentifier 1756807354 dnqueue( 8,2) label "id=1756807354" label "tags=user_rule" label "descr=DiffServe AF21 INCOMMING"
                                match out on { pppoe0 } inet proto { tcp udp } from any to any tos af31 ridentifier 1716900289 dnqueue( 2,8) label "id=1716900289" label "tags=user_rule" label "descr=DiffServe AF31 Outgoing"
                                match out on { pppoe0 } inet6 proto { tcp udp } from any to any tos af31 ridentifier 1716900289 dnqueue( 2,8) label "id=1716900289" label "tags=user_rule" label "descr=DiffServe AF31 Outgoing"
                                match in on { pppoe0 } inet proto { tcp udp } from any to any tos af31 ridentifier 1756761168 dnqueue( 8,2) label "id=1756761168" label "tags=user_rule" label "descr=DiffServe AF31 INCOMMING"
                                match in on { pppoe0 } inet6 proto { tcp udp } from any to any tos af31 ridentifier 1756761168 dnqueue( 8,2) label "id=1756761168" label "tags=user_rule" label "descr=DiffServe AF31 INCOMMING"
                                match out on { pppoe0 } inet proto { tcp udp } from any to any tos af41 ridentifier 1756807307 dnqueue( 2,8) label "id=1756807307" label "tags=user_rule" label "descr=DiffServe AF41 Outgoing"
                                match out on { pppoe0 } inet6 proto { tcp udp } from any to any tos af41 ridentifier 1756807307 dnqueue( 2,8) label "id=1756807307" label "tags=user_rule" label "descr=DiffServe AF41 Outgoing"
                                match in on { pppoe0 } inet proto { tcp udp } from any to any tos af41 ridentifier 1756807321 dnqueue( 8,2) label "id=1756807321" label "tags=user_rule" label "descr=DiffServe AF41 INCOMMING"
                                match in on { pppoe0 } inet6 proto { tcp udp } from any to any tos af41 ridentifier 1756807321 dnqueue( 8,2) label "id=1756807321" label "tags=user_rule" label "descr=DiffServe AF41 INCOMMING"
                                match out on { pppoe0 } inet proto { tcp udp } from any to any tos cs5 ridentifier 1756792676 dnqueue( 2,8) label "id=1756792676" label "tags=user_rule" label "descr=DiffServe CS5 Outgoing"
                                match out on { pppoe0 } inet6 proto { tcp udp } from any to any tos cs5 ridentifier 1756792676 dnqueue( 2,8) label "id=1756792676" label "tags=user_rule" label "descr=DiffServe CS5 Outgoing"
                                match in on { pppoe0 } inet proto { tcp udp } from any to any tos cs5 ridentifier 1756792702 dnqueue( 8,2) label "id=1756792702" label "tags=user_rule" label "descr=DiffServe CS5 INCOMMING"
                                match in on { pppoe0 } inet6 proto { tcp udp } from any to any tos cs5 ridentifier 1756792702 dnqueue( 8,2) label "id=1756792702" label "tags=user_rule" label "descr=DiffServe CS5 INCOMMING"
                                match out on { pppoe0 } inet proto { tcp udp } from any to any tos cs7 ridentifier 1756807179 dnqueue( 2,8) label "id=1756807179" label "tags=user_rule" label "descr=DiffServe CS7 Outgoing"
                                match out on { pppoe0 } inet6 proto { tcp udp } from any to any tos cs7 ridentifier 1756807179 dnqueue( 2,8) label "id=1756807179" label "tags=user_rule" label "descr=DiffServe CS7 Outgoing"
                                match in on { pppoe0 } inet proto { tcp udp } from any to any tos cs7 ridentifier 1756807199 dnqueue( 8,2) label "id=1756807199" label "tags=user_rule" label "descr=DiffServe CS7 INCOMMING"
                                match in on { pppoe0 } inet6 proto { tcp udp } from any to any tos cs7 ridentifier 1756807199 dnqueue( 8,2) label "id=1756807199" label "tags=user_rule" label "descr=DiffServe CS7 INCOMMING"
                                match out on { pppoe0 } inet proto { tcp udp } from any to any port $Teamspeak3 ridentifier 1702552121 dnqueue( 2,8) label "id=1702552121" label "tags=user_rule" label "descr=m_Other TeamSpeak-3 outbound"
                                match out on { pppoe0 } inet6 proto { tcp udp } from any to any port $Teamspeak3 ridentifier 1702552121 dnqueue( 2,8) label "id=1702552121" label "tags=user_rule" label "descr=m_Other TeamSpeak-3 outbound"
                                match in on { pppoe0 } inet proto { tcp udp } from any to any port $Teamspeak3 ridentifier 1756761611 dnqueue( 8,2) label "id=1756761611" label "tags=user_rule" label "descr=m_Other TeamSpeak-3 INCOMMING"
                                match in on { pppoe0 } inet6 proto { tcp udp } from any to any port $Teamspeak3 ridentifier 1756761611 dnqueue( 8,2) label "id=1756761611" label "tags=user_rule" label "descr=m_Other TeamSpeak-3 INCOMMING"
                                match out on { pppoe0 } inet proto tcp from any to any port 6462 >< 6473 ridentifier 1756807838 flags S/SA dnqueue( 2,8) label "id=1756807838" label "tags=user_rule" label "descr=Priorize Discord qVOIP Outgoing"
                                match out on { pppoe0 } inet6 proto tcp from any to any port 6462 >< 6473 ridentifier 1756807838 flags S/SA dnqueue( 2,8) label "id=1756807838" label "tags=user_rule" label "descr=Priorize Discord qVOIP Outgoing"
                                match in on { pppoe0 } inet proto tcp from any to any port 6462 >< 6473 ridentifier 1756807863 flags S/SA dnqueue( 8,2) label "id=1756807863" label "tags=user_rule" label "descr=Priorize Discord qVOIP Incomming"
                                match in on { pppoe0 } inet6 proto tcp from any to any port 6462 >< 6473 ridentifier 1756807863 flags S/SA dnqueue( 8,2) label "id=1756807863" label "tags=user_rule" label "descr=Priorize Discord qVOIP Incomming"
                                match out on { pppoe0 } inet proto udp from any to any port >= 50000 ridentifier 1756807762 dnqueue( 2,8) label "id=1756807762" label "tags=user_rule" label "descr=Priorize Discord qVOIP Outgoing"
                                match out on { pppoe0 } inet6 proto udp from any to any port >= 50000 ridentifier 1756807762 dnqueue( 2,8) label "id=1756807762" label "tags=user_rule" label "descr=Priorize Discord qVOIP Outgoing"
                                match in on { pppoe0 } inet proto udp from any to any port >= 50000 ridentifier 1756807794 dnqueue( 8,2) label "id=1756807794" label "tags=user_rule" label "descr=Priorize Discord qVOIP Incomming"
                                match in on { pppoe0 } inet6 proto udp from any to any port >= 50000 ridentifier 1756807794 dnqueue( 8,2) label "id=1756807794" label "tags=user_rule" label "descr=Priorize Discord qVOIP Incomming"
                                match out on { pppoe0 } inet proto { tcp udp } from any to any port $Gaming_Ports ridentifier 1702552087 dnqueue( 3,9) label "id=1702552087" label "tags=user_rule" label "descr=m_Game outbound"
                                match out on { pppoe0 } inet6 proto { tcp udp } from any to any port $Gaming_Ports ridentifier 1702552087 dnqueue( 3,9) label "id=1702552087" label "tags=user_rule" label "descr=m_Game outbound"
                                match in on { pppoe0 } inet proto { tcp udp } from any to any port $Gaming_Ports ridentifier 1756761826 dnqueue( 9,3) label "id=1756761826" label "tags=user_rule" label "descr=m_Game INCOMMING"
                                match in on { pppoe0 } inet6 proto { tcp udp } from any to any port $Gaming_Ports ridentifier 1756761826 dnqueue( 9,3) label "id=1756761826" label "tags=user_rule" label "descr=m_Game INCOMMING"
                                match out on { pppoe0 } inet proto { tcp udp } from any to any port 53 ridentifier 1702552137 dnqueue( 4,10) label "id=1702552137" label "tags=user_rule" label "descr=m_Other DNS outbound"
                                match out on { pppoe0 } inet6 proto { tcp udp } from any to any port 53 ridentifier 1702552137 dnqueue( 4,10) label "id=1702552137" label "tags=user_rule" label "descr=m_Other DNS outbound"
                                match in on { pppoe0 } inet proto { tcp udp } from any to any port 53 ridentifier 1756762514 dnqueue( 10,4) label "id=1756762514" label "tags=user_rule" label "descr=m_Other DNS INCOMMING"
                                match in on { pppoe0 } inet6 proto { tcp udp } from any to any port 53 ridentifier 1756762514 dnqueue( 10,4) label "id=1756762514" label "tags=user_rule" label "descr=m_Other DNS INCOMMING"
                                match out on { pppoe0 } inet proto tcp from any to any port 80 ridentifier 1702552128 flags any dnqueue( 4,10) label "id=1702552128" label "tags=user_rule" label "descr=m_Other HTTP outbound"
                                match out on { pppoe0 } inet6 proto tcp from any to any port 80 ridentifier 1702552128 flags any dnqueue( 4,10) label "id=1702552128" label "tags=user_rule" label "descr=m_Other HTTP outbound"
                                match in on { pppoe0 } inet proto tcp from any to any port 80 ridentifier 1756762281 flags any dnqueue( 10,4) label "id=1756762281" label "tags=user_rule" label "descr=m_Other HTTP INCOMMING"
                                match in on { pppoe0 } inet6 proto tcp from any to any port 80 ridentifier 1756762281 flags any dnqueue( 10,4) label "id=1756762281" label "tags=user_rule" label "descr=m_Other HTTP INCOMMING"
                                match out on { pppoe0 } inet proto tcp from any to any port 443 ridentifier 1702552129 flags any dnqueue( 4,10) label "id=1702552129" label "tags=user_rule" label "descr=m_Other HTTPS outbound"
                                match out on { pppoe0 } inet6 proto tcp from any to any port 443 ridentifier 1702552129 flags any dnqueue( 4,10) label "id=1702552129" label "tags=user_rule" label "descr=m_Other HTTPS outbound"
                                match in on { pppoe0 } inet proto tcp from any to any port 443 ridentifier 1756762317 flags any dnqueue( 10,4) label "id=1756762317" label "tags=user_rule" label "descr=m_Other HTTPS INCOMMING"
                                match in on { pppoe0 } inet6 proto tcp from any to any port 443 ridentifier 1756762317 flags any dnqueue( 10,4) label "id=1756762317" label "tags=user_rule" label "descr=m_Other HTTPS INCOMMING"
                                match out on { pppoe0 } inet proto tcp from any to any port 6880 >< 7000 ridentifier 1702552130 flags S/SA dnqueue( 6,12) label "id=1702552130" label "tags=user_rule" label "descr=m_Other Battle.NET-Downloader outbound"
                                match out on { pppoe0 } inet6 proto tcp from any to any port 6880 >< 7000 ridentifier 1702552130 flags S/SA dnqueue( 6,12) label "id=1702552130" label "tags=user_rule" label "descr=m_Other Battle.NET-Downloader outbound"
                                match in on { pppoe0 } inet proto tcp from any to any port 6880 >< 7000 ridentifier 1756762431 flags S/SA dnqueue( 12,6) label "id=1756762431" label "tags=user_rule" label "descr=m_Other Battle.NET-Downloader INCOMMING"
                                match in on { pppoe0 } inet6 proto tcp from any to any port 6880 >< 7000 ridentifier 1756762431 flags S/SA dnqueue( 12,6) label "id=1756762431" label "tags=user_rule" label "descr=m_Other Battle.NET-Downloader INCOMMING"
                                match out on { pppoe0 } inet from any to any ridentifier 1702552963 dnqueue( 5,11) label "id=1702552963" label "tags=user_rule" label "descr=WAN qDefault Outgoing"
                                match out on { pppoe0 } inet6 from any to any ridentifier 1702552963 dnqueue( 5,11) label "id=1702552963" label "tags=user_rule" label "descr=WAN qDefault Outgoing"
                                match in on { pppoe0 } inet from any to any ridentifier 1702552985 dnqueue( 11,5) label "id=1702552985" label "tags=user_rule" label "descr=WAN qDefault Incomming"
                                match in on { pppoe0 } inet6 from any to any ridentifier 1702552985 dnqueue( 11,5) label "id=1702552985" label "tags=user_rule" label "descr=WAN qDefault Incomming"

                                tinfoilmattT 1 Reply Last reply Reply Quote 0
                                • tinfoilmattT Offline
                                  tinfoilmatt LAYER 8 @sysadminfromhell
                                  last edited by

                                  @sysadminfromhell I stopped reading at the "Bufferbloat Ping Solution" stuff.

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ Offline
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    The behavior of match action floating rules with quick set changed in 25.11, and may be the source of your problems:

                                    https://redmine.pfsense.org/issues/16475

                                    The quick part was effectively ignored in the past, now it isn't.

                                    Now it hits those match rules and then stops processing so it never gets to a pass rule.

                                    Take quick off of those floating match rules and they will likely start working as you expect.

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 4
                                    • stephenw10S Offline
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      @sysadminfromhell said in Since 25.11 no ICMP Rule works:

                                      match quick inet proto icmp from any to any ridentifier 1679838905 label "id=1679838905" label "tags=user_rule" label "descr=Bufferbloat Ping Solution ICMP"
                                      match quick inet6 proto ipv6-icmp from any to any ridentifier 1679838905 label "id=1679838905" label "tags=user_rule" label "descr=Bufferbloat Ping Solution ICMP"
                                      match quick inet proto { tcp udp } from any to any port 7 ridentifier 1683452703 label "id=1683452703" label "tags=user_rule" label "descr=Bufferbloat Ping Solution TCP/UDP"
                                      match quick inet6 proto { tcp udp } from any to any port 7 ridentifier 1683452703 label "id=1683452703" label "tags=user_rule" label "descr=Bufferbloat Ping Solution TCP/UDP"

                                      Yup, that. match quick is almost certainly the problem there.

                                      S 1 Reply Last reply Reply Quote 2
                                      • S Offline
                                        sysadminfromhell @stephenw10
                                        last edited by

                                        @stephenw10 Yep that fixed it

                                        1 Reply Last reply Reply Quote 1
                                        • First post
                                          Last post
                                        Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.