This post will be updated as I find out interesting tidbits while working with my pfSense. Usually this will be getting something in the house to work as expected with out opening up the firewall to everything.

Amazon Shopping App

UPDATE: The solution listed below no longer works.

The Amazon Shopping App on Android calls out to some Amazon ad services that when blocked, result in an unusable app.

DNSBL Reject HTTPS,Jan 06 10:30:52,s.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:30:52,mads.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:31:00,s.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:31:00,mads.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:31:01,aax-us-east.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:31:01,aax-us-east.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:31:01,aax-us-east.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:31:02,aax-us-east.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:31:03,s.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:31:03,mads.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:31:03,aax-us-east.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:31:03,aax-us-east.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:31:03,aax-us-east.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:31:04,aax-us-east.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:31:58,www.googleadservices.com
DNSBL Reject HTTPS,Jan 06 10:32:00,s.amazon-adsystem.com
DNSBL Reject HTTPS,Jan 06 10:32:15,device-metrics-us-2.amazon.com
DNSBL Reject HTTPS,Jan 06 10:32:15,device-metrics-us-2.amazon.com
DNSBL Reject HTTPS,Jan 06 10:32:15,device-metrics-us-2.amazon.com
DNSBL Reject HTTPS,Jan 06 10:32:15,device-metrics-us-2.amazon.com
DNSBL Reject HTTPS,Jan 06 10:32:15,device-metrics-us-2.amazon.com
DNSBL Reject HTTPS,Jan 06 10:32:15,device-metrics-us-2.amazon.com

To circumvent this issue, you have to turn off personalized ads on a per browser basis. To do this in the app go to the menu --> Your Account --> Advertising Preferences (third from bottom) --> select the appropriate option.

UPDATE: This no longer seems to work.

Google Messages App

Recently got a new Google Pixel 3 XL.  But the Messenger app had some issues.  It implements RCS (think iMessage) which allows for web access to your messages.  With my firewall configuration, this did not work out of the box.

1) I had to enable IPv6. Not a huge issue there.

2) RCS communicates to 64.9.241.175 on port 5061 it appears.  So this rule had to be created.

3) To use the GIF functionality in Messenger, the app checks internet connectivity on port 53 to Google's DNS . (8.8.8.8).  Even though I was connected to the internet, since I blocked this traffic, the app continually said I was offline.  With a pass rule for this traffic, everything works fine.

Nest

To get my Nest working I had to do some firewall log deep diving to find what my issue was.  

The Nest pairing process worked fine and the thermostat itself showed as connected. However, the web dashboard and phone app both showed the device as offline, which prevented me from being able to do any configuration away from the thermostat itself.

Turns out that the nest needs to communicate on port 9543.  Adding an allow rule for that destination from the thermostat almost immediately made the device show as online in the app. Now I just need to narrow down the IP space if possible.

Nintendo Online Multiplayer

Nintendo Switch - Needs static port on its outbound NAT
At least with the one online multiplayer game I have used so far (Fast RMX) the only requirement for Nintendo Switch online multiplayer is static port outbound NAT. It did not appear to require UPnP, but it’s safer to enable that in case another game need...

Amazon Kindle

You will not be able to use your Kindle or Kindle Services if device-metrics-us.amazon.com is blocked. I have this domain blocked by pfBlockerNG and it was causing all sorts of issues with registering a device and getting content.