pfSense not acting as stateful firewall for ICMP
-
Version with problem: 24.03-RELEASE (amd64)
Prior to upgrading (whatever the last version was), this issue did not exist.
Our zabbix server is not able to ping only a specific subnet's IP addresses.
It pings are being sourced from 10.9.0.23, and is allowed by this firewall rule:
However, the firewall logs are showing that the ICMP is sourced at the destination instead and are being blocked:
I tried to reboot pfSense and the issue is still happening.
-
Hi mrbn, can you share firewall logs to we can help you. Execute a ping from you zabbix server and go to:
Status > System Logs
Firewall > Normal View
Page Down to the lasts logs and verify if the pfsense rule are blocking your pings. You can fast allowed the rule clicking on "+" and adding a rule that specificaly blocked before, as example:
After you can replace the name of rule or change something on Firewall > Rules. I think that it will help you with your problem.
-
Hello, thank you for getting back to me.
The rule that is suggested is this:
That's all well and good, but the SOURCE is NOT 10.10.1.14. Why would I have to create additional firewall rules to allow ICMP from both directions if the router is supposed to be stateful.
Once I initiate an ICMP request from the SOURCE, the traffic should be allowed to come back automatically.
I am confused as to why this is happening just to this specific subnet and no others.
We have over a dozen VLANS and our Zabbix server initiates ICMP pings to all of them. This is the only one with the issue.
In any case, I did as you suggested:
The issue is still happening.
However, if I change Echo request, to ICMP ANY, the issue is resolved.
Unfortunately, as I mentioned before, I cannot understand how this is necessary to do.
Is there anything else you can think of that might be causing this issue?
-
@mrnb Well, I already had this problem with ICMP echo reply several times, ever I need set with "ICMP ANY" to can be resolved, sincerely I don't the because, maybe some other forum friend can best reply.
About the as the rules are applied, the pfSense are stateful firewall, then all rules are applied from the interface origem. A thing that gerally I think before create a rule is where the traffic are created, what interface, with this I create the rules on interface that the traffic first arrive first on firewall.
With the easy rule that you created generally it resolve a bit of problem. Because she is very specific, then is much problable that you need chaning the address of origim or/and destin to the network istead of the IP address.
And if the traffic pass from the rule then it will return the back without block.
I hope I've helped
-
@mrnb said in pfSense not acting as stateful firewall for ICMP:
Prior to upgrading (whatever the last version was), this issue did not exist.
With this version something was changed, pfsense is more strict now and doesn't allow for asymmetric routing by default. You can change this in the settings back to the old behavior. Or you can fix your asymmetric routing.
-
That's what it was, thank you.
