Firewall rule not getting hit ?!
-
Hi , please see attached file.
I m experiencing issues and ending with the simplest configuration possible.
I have a LOCAL subnet 10.10.10.0/24 for which I created a simple rule IPV4* from LOCAL network any any any any
And yet , in the logs I see traffic being blocked from host 10.10.10.10 to outside
It drives me nuts
I rebooted, re created the rule , manually entered the subnet
Any idea what's going on?
-
@gerald26500
The blocked packets are out of state as the flags are showing:
So maybe pfSense has already closed this connections due to timeouts or the SYN packet didn't pass pfSense (Asymmetric Routing).
-
@gerald26500 If you look at the blocks in the firewall logs you posted you will see that it is not your rule that is blocking the packets. It's the "Default Deny Rule IPv4" that's blocking it.
-
@dma_pf but my rule is supposed to allow all traffic for that subnet going outside.. so it should be allowed before hitting the implied denied all right ?!
-
@viragomann said in Firewall rule not getting hit ?!:
losed this connections due to timeouts or the SYN
Ok , this is so strange. This device is having a hard time to reach out internet.
I really can't see how asymmetric would be possible in my network -
@gerald26500
Firewall rules are only applied to the SYN packets. If the rule pass it, pfSense add a state in its state table and pass all further relating packets, but it times out when no traffic is flowing. -
@gerald26500 said in Firewall rule not getting hit ?!:
I really can't see how asymmetric would be possible in my network
an A (ack) block doesn't necessarily mean its asymmetrical - SA (syn,ack) normally screams that it is.
What we know for sure with "A" blocks is the firewall has no state for this traffic. For pfsense to create a state it needs to see the SYN..
If your internet connection is having issues, and the wan goes down - I believe out of the box pfsense clears all states. So that could be happening.. Or the states could be timing out on their own while the client tries to use this session at some later time. Client coming out of standby maybe.
Another reason you can see such blocks is like phone or something saying using cell, and then it switches to your wifi, and doesn't create a new session with a syn..
Your blocks are clearly out of state, if they were normal blocks you would see TCP:S
The trick is figuring out why they are out of state.. Is it a client issue? Is it your states being cleared on pfsense? Either way the client should be smart enough to create a new session -- send SYN when old connection is no longer working. So some of those blocks are not a big concern..
Could also be your wan IP is changing - if so your states could be cleared and the client doesn't really know this and continues to use its previous session. Again when the client can no longer use a session, it should create a new session on its own via SYN.. This is how tcp works when client trying to go somewhere and it times out because it gets no connection..
-
@viragomann @johnpoz Thanks a lot for your response.
I think you found the issue John. This device is wireless and after verification it does switch from wireless to cell connectivity ... and all destinations are Google Cloud and Amazon , which makes sense.
Now time for me to figure out why the wifi keeps dropping for that device,
I really appreciate your help !!
Thanks again
