Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot access some legit 443 on 25.07.1

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 350 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      wzkds
      last edited by

      Shared environment, so no security services such as suricata, pfblocker or snort, users are responsible for their own firewalling, security suites, etc.

      Some users are getting a certificate error when accessing websites and the site shows this site can't be reached.

      I keep seeing the default deny rule invoked for some outbound 443 traffic. My rule is any protocol, from any address, to any address. I added tcp 443 rule on this lan and started seeing some:

      Aug 26 06:34:01 WIFI Ensure allow https out (1756144313) 10.110.30.16:44996 13.227.37.69:443 TCP:S

      However, I keep seeing in the logs blocked by default deny rule:
      Aug 26 06:34:03 WIFI Default deny rule IPv4 (1000000103) 10.110.30.16:33838 98.82.156.189:443 TCP:PA
      Aug 26 06:34:03 WIFI Default deny rule IPv4 (1000000103) 10.110.30.16:33838 98.82.156.189:443 TCP:FA
      Aug 26 06:34:03 WIFI Default deny rule IPv4 (1000000103) 10.110.30.16:33838 98.82.156.189:443 TCP:FA

      What am I missing here? This is a fresh install, I had to setup a different firewall model and did not hear back from netgate on the conversion in time, so I can't say if this setup was working prior to 25.07.1.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @wzkds
        last edited by johnpoz

        @wzkds those are all out of state packets.. Those FA are fin,ack.. The PA is a push,ack - but since those are all with A, that points to out of state traffic. Ie pfsense has no state that would allow that traffic, states are opened with a SYN (S)..

        So yes they would be denied by the default rule.

        A block of SYN, points to no firewall rule to allow that traffic.. Other traffic with A (ack) points to no existing state to allow the traffic. This could be because the state was already closed with fin, that pfsense saw and this is dupe sends from client. Or when its SA (syn,ack) that points to asymmetrical traffic flow where pfsense never saw the syn that opened the state but for some reason pfsense is seeing the answer to a syn, the syn,ack

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

        W 1 Reply Last reply Reply Quote 0
        • W Offline
          wzkds @johnpoz
          last edited by

          @johnpoz thanks for the assistance, so I am looking in the wrong place based upon what I am seeing on the firewall end. The user isn't getting an IPv4 address; there are plenty in the scope. I had the user switch to a different wifi network and he got an IP address and was able to connect to what he needed, but I need to figure out why he and probably only one other user aren't receiving IPs. The odd part is that I don't see it on the AP (if a user has an apipa address, normally I can see this). When connecting, I didn't get anything from the firewall's pcap, either, no dhcp request from user's computer, etc.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @wzkds
            last edited by

            @wzkds if client doesn't have an IP on the network attached to pfsense - it would never send traffic to pfsense.. You could see some broadcast traffic behind blocked..

            Are they clients on a vlan? But yeah I would sniff on pfsense - have client ask for IP from dhcp - if your not seeing the discover all then yeah nothing ever going to work.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              Sounds like they are getting redirected locally if they see a cert error. Check what cert they are being offered. The details there may indicate what is intercepting the traffic.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.