After putting up with near daily reports of outages for websites, like this one, that I know are still running, I thought I'd check on my configuration.

It happened to be the case that my months-old list of IPs from my network monitor, UptimeRobot.com, has come out of date. This seems to have rightly caused failures, as I don't allow direct access to the HTTP/S servers, except to those in the lists on my firewall for this monitor, my CDN (Cloudflare.com), and my subnet. All others seeking access to the web servers need to go through the CDN.

Its list of IPs from UptimeRobot is difficultly long, so I spent a little time figuring out the router's ability to accept a whole list of IPs. There is an import function, undoubtedly how I got the list in there originally, but it doesn't seem to allow re-importing to update the firewall rules. Even better, though, I can give it a URL from which it can fetch a text list of individual IPs or CIDN ranges, and carry on with its day. Even better than that, it will automatically refresh on a schedule, which I chose to be daily, as the lists undoubtedly come from a CDN, and they're small enough that traffic likely isn't a problem.

It worked right out of the box.

I took a few moments longer to make changes to have the CDN IPs imported the same way. I did have to break the IPv4 and IPv6 lists into separate lists, but that's a small price to pay. Plus it allowed me to clean the firewall rule for the IPv6 tunnel, so it now only contains IPv6 addresses (and not a bunch of ignored lines).

It'll take a little time to see if this fixes the problem of intermittent false failures going forward. I did check the event log for the last failure, and the server IP was not in the firewall rule but is in the list from the refreshing URL, so I'm confident that as long as the IP list refreshes on my router before a server attempts access, all will be swell. In the case that they update their list and a server attempts access before my router refreshes, there will again be a false failure, but I expect that to be a less frequent failure. I don't expect them to update their list at least a day before their server makes attempts, but I imagine it'll be more likely they'll update their list some time before they allow it to make attempts, so it's on my router to be timely.

For future reference, in the pfSense Firewall Alias tool, check the URL tab, and use the URL Table (IP) entries. The aliases only allow one URL each, and the shortest refresh resolution is daily (and the largest delay is 128 days), because they use the same subnet editing values. We've all taken shortcuts, right? Because of the one URL per alias, multiple firewall rules need to be made to support all the URL aliases. My split of IPv6 and IPv4 was both to allow the IPv6 network to have a dedicated list, but also to allow me to use the alias for my CDN, as they don't offer a combined list (that I could quickly find).