"Default deny rule" blocking permited traffic

ISCGDave

I have 3 VLAN's configured on 2 physical interfaces.
The internal networks are LAN and OPT1 and NAT is configured on the WAN interface.

I have default permit all rules on each internal interface and specific permit all rules on both LAN and OPT1 permiting each network.

When I RDP from a desktop located on LAN to a server located on OPT1 it connects but I get time outs and have to reconnect.
The firewall log shows @88 block drop in log quick all label "Default deny rule" for the LAN interface. This happens no matter how specific I get with the "permit" rules.

Any ideas?  ???

GruensFroeschli

Do you have as protocol TCP/UDP?
Could you show a screenshot of your rules?

ISCGDave

Attached screenshots

GruensFroeschli

Your rules confuse me O_o
Do you have multiple subnets on the LAN and the same multiple subnets on the OPT1?

What IP-range is where?
Do you have public IP's on your LAN?

How are you trying to connect to the server?
Via a portforward from the public IP you have on the WAN of the pfSense?
Or are you using NAT at all?
Is this a routed setup?

ISCGDave

Yes, the rules that are there as a last ditch attempt some are not needed

LAN is 50.25.50.0/24
OPT1 is 192.168.101.0/24

I have the same problem when connected RDP from LAN to OPT1 or OPT1 to LAN but LAN to GLOBAL address through WAN is fine.

Everything that I have tried

-> Advanced -> supress ARP messages on/off

-> Advanced -> use device polling on/off

-> Advanced -> Bypass firewall rules for traffic on the same interface on/off

-> Advanced -> Disables the PF scrubbing on/off

-> Advanced -> hardware checksum offloading on/off

-> OPT1 -> changed MTU to 1492

RDP sessions stay connected for about 10 to 15 seconds and then disconnect not matter what I do.
If I connect to a session from LAN to a global address it stays connected (going through WAN)

ISCGDave

I have LAN, OPT1 (DMZ) and WAN

here are my NAT settings

GruensFroeschli

Ok that's more clear.
For debugging: Delete all rules you have on all interfaces and create one single rule per interface looking like the last rule on your OPT1 (* * * * * *)
–> Allow anything from anywhere.
If that helps start clamping the rules back to somewhat more restrictive.

You could also try to set the "Firewall Optimization Options" setting to "conservative".
It sounds a bit like your connection gets dropped even if it shouldnt.

I think i remember there was once a similar thread around about rdp as well.
Have to see if i can find it.

ISCGDave

Well, I changed the firewall rules to conservative without deleting the other rules and it fixed it.

I guess I'll have to read up on that option

Thanks for all your HELP!  ;D