pfsense default deny rule ipv4 1000000103

rfinch23

Hi,
I am running pfsense mainly to create a ppp tunnel in front of a unif network. This has been working well for at least 24 months.
Suddenly, the firewall is blocking traffic from the LAN to the tunnel, (pfsense default deny rule ipv4 1000000103)
now this is not visible on the GUI firewall. To my knowledge nothing has changed.

I am having to use pfsense community edition version 2.5.1-RELEASE (amd64)
built on Mon Apr 12 07:50:14 EDT 2021
FreeBSD 12.2-STABLE as Version 2.7.0 broke the tunnel.
I am no firewall bod and have left this well alone once working. Any pointers would be most appreciated.

Thanks in advance.

johnpoz

@rfinch23 said in pfsense default deny rule ipv4 1000000103:

now this is not visible on the GUI firewall

No the default deny would not be listed in the gui rules.. But what rules are - if the default deny is blocking it, its either out of state traffic or there is no rule to allow the traffic.

Does the log show SYN (S) in the protocol column, is its some UDP traffic? If its something else like SA or FA or etc.. then its out of state.

Gertjan

@rfinch23 said in pfsense default deny rule ipv4 1000000103:

To my knowledge nothing has changed.

This might be true .... but is really hard to do.
You're saying : since I installed this firewall, I did not use new devices on my own networks, neither did I upgrade any of these devices ....
If you did add just one new device, or updated just one, and this device 'crafts' internet packets that are 'wrong' (no big deal) then suddenly they start being captured by the final hidden block all rule.

Now : knowing what I just told you, did you 'change' something ?
I'm pretty sure you did ;)

You can see the logs that show the "ipv4 1000000103" line, you have the offending IPv4.
What happens when you remove this device from your network ?
What is this device ?

About :

@rfinch23 said in pfsense default deny rule ipv4 1000000103:

FreeBSD 12.2-STABLE (== 2.5.1) as Version 2.7.0 broke the tunnel.

Read Netgate Will Migrate to OpenSSL 3 in pfSense Plus Software Version 23.09

which means things won't get any better soon.

Example if a 'tunnel' uses encryption 'XXXX' and XXXX isn't supported anymore there will be a moment XXX won't work anymore on both side of the tunnel, for example : your phone app updates .... and now you're locked out.or your VPN supplier dropped old stuff : same result.
It's way easier to stay 'current' - and yes, have some hassle ones in a while because you had to change 'SHA1' to 'SHA256' on both ends. But at that moment, thousands will have the same question as you, so answers will be available here.
Keeping old stuff could mean you loose 'everything' and you have nothing to get back to.