Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rule issue

    Scheduled Pinned Locked Moved
    Firewalling
    4
    5
    85
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dy_atx
      last edited by

      This is the first time I am having a problem on PFSense with a firewall rule and I must be missing something simple! I keep seeing 192.168.20.4 being blocked from accessing 192.168.20.65, when my first and third rule should be allowing this! I only added the first two rules listed here after the third appeared to be failing. Any suggestions on what I might be missing? I have refreshed state table and rebooted the firewall as well. Thank you!
      Cameras_Rules.jpg Blocks.jpg

      V S johnpozJ 3 Replies Last reply Reply Quote 0
      • V
        viragomann @dy_atx
        last edited by

        @dy_atx
        This seems to be an asymmetric routing issue.
        Most probably reason for this is that one of the involved devices is multi-homed.

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Rebel Alliance @dy_atx
          last edited by

          @dy_atx said in Firewall rule issue:

          192.168.20.4 being blocked from accessing 192.168.20.65, when my first and third rule should be allowing this

          Devices in the same subnet don't cross the firewall so no rules should ever apply. Unless those are both not in a /24.

          re: Asymmetric Routing, see
          https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#asymmetric-routing
          https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @dy_atx
            last edited by

            @dy_atx yeah that screams asymmetrical, normally with 192.168.20.0/24 192.168.20.4 would not send anything to router to talk to 192.168.20.65.

            So from that I would think your mask is wrong on 20.4 and he thinks 20.65 is on a different network and when he got a syn to his 12812 port he sent back his syn,ack (SA) to pfsense (his gateway)..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

            1 Reply Last reply Reply Quote 0
            • D
              dy_atx
              last edited by

              Thank you both! This was exactly the issue; subnet was configured incorrectly on the device at 192.168.20.4! Thank you!!

              1 Reply Last reply Reply Quote 1
              • First post
                Last post