Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TCP:A, TCP:PA ... dropped

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 3 Posters 2.4k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      hugzer @johnpoz
      last edited by

      @johnpoz Hi,

      Sorry, I miss clicked so I sent the topic earlier
      I completed the description

      1 Reply Last reply Reply Quote 0
      • H Offline
        hugzer @johnpoz
        last edited by

        @johnpoz I also do have drops on TCP:S but the dest is my pfsense interface (192.168.1.2) while I'm requesting with my PC (192.168.1.10) :
        9094330e-baf8-4459-8c08-4b536f88c55b-image.png

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @hugzer
          last edited by

          @hugzer yeah those syn blocks would be normal, are you wanting to allow traffic from the internet to that IP? If so then you would have to setup a port forward.

          While blocks on just A are normal as well for a stateful firewall, But means something different, a state can only be opened via a syn, and to allow that you need firewall rule to allow it. While non syn traffic would be blocked and wouldn't be able to open the state even if you wanted to allow the traffic.

          What is odd about those blocks is how would some public IP know how to get to your wan to try and get to 192.168.1.2? Seems like you have a port forward setup, but no wan rule to allow that traffic..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          H 1 Reply Last reply Reply Quote 0
          • H Offline
            hugzer @johnpoz
            last edited by hugzer

            @johnpoz I'd like to make something like that :
            7e604ad7-62f3-41cc-8997-fbbb76fc1abe-image.png

            I don't understand how can I setup a port forwarding while the second port is not defined by me

            On the WAN interface, I do have a rule :
            src 192.168.1.0/24
            dst any
            port any
            (protocol any)
            It does match with my traffic 4 (in the draw)
            ba600400-83e4-4a8c-b0b8-d35038174a1b-image.png

            On the LAN interface, I do have a rule :
            src 192.168.10.0/24
            dst any
            port any
            (protocol any)
            It does match with my traffic 6 (in the draw)
            b28a8d75-39f8-4f12-b89a-7c29af99d284-image.png

            For the LAN interface, I didn't make port forwarding and traffic does work without any drops

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator @hugzer
              last edited by

              @hugzer said in TCP:A, TCP:PA ... dropped:

              I setup a port forwarding while the second port is not defined by me

              Huh.. You don't know what service your trying to access? The source port is almost always going to be any, because the source port would be some random high port above 1024.

              But to get to plex for example that port would be 32400, nextcloud has a known port it listens on.. All services have ports they listen on.

              Normally you would put all "your" networks behind pfsense.. So the only thing on wan of pfsense would be internet, or the transit network to get to internet if your not able to put your isp device in bridge mode. And your going to double nat.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              H 1 Reply Last reply Reply Quote 0
              • H Offline
                hugzer @johnpoz
                last edited by

                @johnpoz I do know what service I need to access but as I said, this is a new FW and I had no FW before so I created a rule which allow all the traffic to pass (logged rule) during like a week and after that, I will reduce the ports opened.

                Physically, my PC is plugged to my router and pfsense is a VM
                My ESXi is plugged to my router too and it has only one network card

                So my PC has to be on the same network as my ESXi (and so my PfSense WAN interface)

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @hugzer
                  last edited by johnpoz

                  @hugzer said in TCP:A, TCP:PA ... dropped:

                  created a rule which allow all the traffic to pass (logged rule) during like a week and after that, I will reduce the ports opened.

                  That is not going to work if your natting..

                  So my PC has to be on the same network as my ESXi

                  No just needs to be on a network behind pfsense, and not pfsense WAN..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  H 1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    The traffic in the first post is classic asymmetric routing.

                    It looks like you have set pfSense as the default gateway on the PC generating the asymmetric route for those external addresses.

                    If the PC must be in the pfSense WAN subnet it must use the ISP router as it's gateway to avoid that.

                    Steve

                    H 1 Reply Last reply Reply Quote 0
                    • H Offline
                      hugzer @johnpoz
                      last edited by

                      @johnpoz said in TCP:A, TCP:PA ... dropped:

                      That is not going to work if your natting..

                      I'm currently not using NAT. Do you think I should ? I cannot be connected behind PfSense

                      @johnpoz said in TCP:A, TCP:PA ... dropped:

                      No just needs to be on a network behind pfsense, and not pfsense WAN..

                      I only have my 192.168.1.0 when I'm plugged to my router that's physically like that :
                      349cfcb9-dc6d-4f81-8a86-4004090afe48-image.png

                      1 Reply Last reply Reply Quote 0
                      • H Offline
                        hugzer @stephenw10
                        last edited by

                        @stephenw10 Hi,

                        I just tried to use 192.168.1.1 (router) in GW but I now can't access to my LAN network (192.168.10.0/24)
                        d64771b1-cdbb-47d9-a046-e804db88063f-image.png
                        I'm talking about traffic 2

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          You would have to access the subnet behind pfSense using port forwards.

                          Or you could add a static route to the client PC for the 192.168.10.0/24 via 192.168.1.2.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.