Strange firewall issue
-
Hello forum,
I'm having a strange issue with the firewall on pfSense 2.3.2-p1. We have a Netgate SG-4860. The four OPT ports are in a LAGG with multiple VLANs. We are particularly having issue with traffic on a single VLAN (VLAN 10, 192.168.10.0/23 subnet). When attempting to telnet to TCP ports like 389 or 3389 on a Domain Controller (Virtual server, Windows server 2016) from a physical workstation, the firewall is dropping the traffic.
Server IP is 192.168.10.104, workstation is 192.168.10.12
Dec 26 16:17:50 pfSense01 filterlog: 160,16777216,,1472571680,lagg0_vlan10,match,pass,in,4,0x0,,128,9525,0,none,17,udp,150,192.168.10.104,192.168.10.12,53,59912,130
Dec 26 16:17:50 pfSense01 filterlog: 76,16777216,,1000008965,lagg0_vlan10,match,pass,out,4,0x0,,127,9525,0,none,17,udp,150,192.168.10.104,192.168.10.12,53,59912,130
Dec 26 16:18:09 pfSense01 filterlog: 5,16777216,,1000000103,lagg0_vlan10,match,block,in,4,0x0,,128,9534,0,DF,6,tcp,52,192.168.10.104,192.168.10.12,389,58730,0,SA,675711707,2073189566,8192,,mss;nop;wscale;nop;nop;sackOK
Dec 26 16:18:13 pfSense01 filterlog: 5,16777216,,1000000103,lagg0_vlan10,match,block,in,4,0x0,,128,9537,0,DF,6,tcp,52,192.168.10.104,192.168.10.12,389,58730,0,SA,675711707,2073189566,8192,,mss;nop;wscale;nop;nop;sackOKHowever, traffic such as DNS over UDP works fine and so does ICMP. Netstat on the server shows syn_received while running telnet from client workstation.
All NAT options are default (auto outbound NAT). As soon as I kill the firewall (pfctl -d), I can telnet just fine. Just for kicks, I tried on another workstation on another VLAN, and it works with the firewall enabled:
Dec 26 16:24:42 pfSense01 filterlog: 162,16777216,,1480738223,lagg0_vlan12,match,pass,in,4,0x10,,64,41929,0,DF,6,tcp,64,192.168.12.100,192.168.10.104,50135,389,0,S,665911506,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Dec 26 16:24:42 pfSense01 filterlog: 76,16777216,,1000008965,lagg0_vlan10,match,pass,out,4,0x10,,63,41929,0,DF,6,tcp,64,192.168.12.100,192.168.10.104,50135,389,0,S,665911506,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eolFor sanity sake, I created an ANY/ANY allow firewall rule at the top of the LAN interface for testing.
This seems to have occurred since upgrading to 2.3.2-p1. Any helpful ideas?
Thanks!
-
This seems to be a kind of asymmetric routing.
https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_RulesThe 192.168.10.104 and the workstation 192.168.10.12 are in the same network segment. Why should the traffic between these hosts pass the firewall?
Some more details of your setup would be helpful. What is your interface configuration? How are these hosts connected to pfSense? -
That's a good point, I'm not quite sure why traffic on the same subnet is passing through pfSense. I'll have to look more into that. Below is what my current setup is:
Physical workstation <–---> PowerConnect switch #1 (Access mode, vlan 10) <-----> Powerconnect switch #2 (general mode to switch #1, tagged 10,12) <------> Stacked PowerConnect switches (general mode to switch #2, tagged 10,12) <------> pfSense LAGG <------> Hyper-V Hosts <------> Hyper-V virtual switches, tagged LACP interfaces <------> Server 2016 Domain Controller
Yeah, I know, thats kinda crazy ^, we are in the process of re-doing it all, however that's how it has to be for now.. I think it's something with the stacked switch config that connect pfSense to the Hyper-V hosts as two physical workstations on the 192.168.10.X LAN can ping and reach each other over TCP (doesn't touch pfSense at all). I'll look further into that. Thanks for your help thus far.