Windows 11 / 6100 PfSense continues to be hacked and can't stop it

I can’t eliminate the script or whatever continues to run and escalate privileges after reformatting and starting a clean version of Windows. I found a RDP log prior to formatting and noticed several interfaces inside my PfSense firewall that didn’t show up in the PfSense GUI arp table or interface listings. Static IP addresses are being used under the following subnets:,,, My networks were, The common static IP addresses appearing under each interface are &

Why can’t I see these interfaces inside Pfsense and why are these IP addresses able to hide from the firewall’s diagnostic tools? Any help would be greatly appreciated.

Don’t open up RDP to the public internet, addresses starting with a number between 224 and 239 are used for IP multicast and the 172.X and 10.X addresses are RFC1918 private addresses. If these addresses are not defined in pfsense they don’t route through pfsense but they may show up in the ARP list if some device on the network is using them.

it is possible that the DNSBL (DNS Blackhole list) is configuring an internal IP address in the 10.x.y.z range. The default address is [ ]. Check the settings under /pfblockerng/pfblockerng_dnsbl.php
Are you sure that your installation media is not compromised (check digest)?
Are you restoring a backup configuration or building new from scratch?

Thanks for your quick response and my apologies for my delayed response.

How to make certain RDP is closed to the public internet and eliminate the IP multicast?

RDP is closed by default unless you open it.

I noticed I have rule set that states “let out anything IPv4 from firewall host itself” and “let out anything from firewall host itself”. Both are showing quite a bit of activity. It’s listed as rule 56 & 57…How do I find those particular rules and modify them?

Appreciate your help!!

Send a screenshot on what you’re talking about? By default, the lan interface will allow everything but the incoming traffic coming into WAN will be blocked.


As far as I know everything on LAN is blocked unless you open it up… of a default * * LAN allow all rule will do that.

@ mgweber25 that is definitely not a default rule so you must have added it ?

Also if you need outside rdp access to your internal lad (RDP or something) I think tailscale should do the trick with a wireguard tunnel. No need to open up ports for that.

It’s a default. See my screenshot below for the “Default allow LAN to any rule” for both ipv4 and ipv6. There is no need to create a an allow all rule when it exists on a fresh install. I start to add rules and eventually get rid of the default rule eventually.

As rule 56 and 57? How many rules do you have? Are you opening things up?

Yeh like I mentioned, of course the standard default allow all lan rule is there… But not very security sensible to keep that there if you want to have your system locked down.

Could you please post screenshots of WAN and LAN firewall configuration so that we can help you?


1 Like