PFsense blocks VEEAM backups despite having an allow rule as the first rule
-
When attempting to backup some devices through VEEAM, pfsense blocks the desired traffic. I have moved the rule to the top of the list, and the traffic is still being blocked. When I look at it in the logs, it indicates that it is blocked via rule 5. I am guessing that rule 5 is the default rule so for whatever reason, other traffic is allowed. The rest of the time when I conduct connectivity tests from the servers to the destination, the traffic is allowed. I'm guessing this is due to resource limitations, and the fact that the firewall is likely failing shut. I cannot confirm that guess as the backups happen at sporadic times and there's no way to be online or know when they will occur.
Has anyone else experienced something similar? If so, what is the fix aside from going to a different firewall vendor. What would you recommend I do to remedy the issue?
Thanks in advance.
-
@zakharykyle Definitively not a firewall issue/malfunction.
It must be because there are some ports/protocols in use that is not allowed in the first rule you created.
Look at the block event in the log and see what traffic was blocked - create a rule to allow it (you could try the easy rule feature) -
Thank you for the response, but that isn't the issue. The rule works properly the rest of the time except when the VEEAM backups are running. I know this because I can use a powershell script to test traffic on 443, and it works when I test.
The rest of the time when the backups run, I see the errors in our SIEM after the fact showing that it's being blocked. The odd part is that it seems to fail shut with most of the traffic. It passes traffic some of the time. It's only when it gets a decent amount of traffic. The links don't seem to be fully saturated, but I'm not 100% sure it isn't a software bug or a hardware limitation, and I'm trying to see if there's anything that can be done to mitigate the issue.
Thank you again for the response, but a rule is in place that allows the traffic. The issue is that it fails a majority of the time, but not all the time with it indicating that rule 5 is the issue. From what I gathered rule 5 should be one of the default rules, but I want to see if there is a way to confirm that or properly allow the traffic. When I look at the firewall, it's the very first rule on the interface, and other traffic is being allowed to other devices on that interface all the time.
-
@zakharykyle I am unclear are backups working despite blocked packets? That could be https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html.
Thereβs a list here https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html.
The firewall log page shows the rule text if Show Rule Descriptions is checked in log settings.
-
That's the thing. Some packets get through. Others don't. The packets use the same ports/protocols so it's not a rule issue. Is there anyone here that can tell me how to determine what rule 5 actually is? I feel as if that's the cause of these issues as that is the block reason in all the blocked packets.
The annoying part of course is that some packets/traffic is being allowed.
-
@zakharykyle Once you check Show Rule Descriptions, IIRC you have to add a text description to each rule yourself.
-
@steveits said in PFsense blocks VEEAM backups despite having an allow rule as the first rule:
Show Rule Descriptions
How do you check rule descriptions? I've logged into the CLI, and even google searched, and I'm not seeing instructions anywhere as to how to view that.
-
@zakharykyle I copied that off a doc page I can't find now, but now that I can log in to a router it appears they renamed it. Status/System Logs/Settings, there is a "Where to show rule descriptions" dropdown.