Problem with RDP, SSH, VNC, anything requiring constant connection.

john.grange

I upgraded to 1.2.3 in hopes that it would solve the problem I am having with RDP, SSH, VNC, or any traffic requiring constant connection. Pings, web traffic, etc all work fine.

I also traced the problem down to the firewall rules, either disabling the PF (in advanced configuration) or clearing the firewall rules from the command line fix the problem, this obviously defeats the purpose of a firewall !

I have noticed that the traffic shows up in the firewall log as blocked by default deny rule, even though I have allow all on ALL interfaces.

This is not a latency issue as noted in another forum post somewhere this is LAN to LAN traffic across different subnet(s) AND OR vpn tunnels on a different router.

Again this is present even across two different nic cards on the same firewall.

This was present in 1.2.2.

Bellow is a diagram of our network :

Firewall03 Is a single firewall at the moment but will look similar to the external firewall setup after this issue has been resolved. The external firewall(s) are setup with CARP, and Failover only, no load balancing is being used. Again this issue is present on both the internal and external firewall setups, all were upgraded to 1.2.3 last night, but the problem was all present in 1.2.2. And again the issue is present even strictly on the internal firewall going from the 10.26.0.0 subnet to the 172.27.2.0 subnet.

–---------------------------------------

10.26.0.0/23                                                                                                                    WAN1                              WAN2
                                ^                                                                                                                                ^                                    ^
  10.26.2.0/23  <firewall03>192.168.120.0/24 ->----------------------------------192.168.120.76--<firewall01>------pfSync------  <firewall02>^                                                                                                          192.168.120.74                          192.168.120.75
                        172.27.2.0/23</firewall02></firewall01></firewall03>

cmb

Sounds like you have asymmetric routing or something of that nature that's messing with state keeping. Allow all is really only allow all with flags S/SA plus anything in the state table. So you're seeing out of state traffic for some reason.

john.grange

@cmb:

Sounds like you have asymmetric routing or something of that nature that's messing with state keeping. Allow all is really only allow all with flags S/SA plus anything in the state table. So you're seeing out of state traffic for some reason.

Ok, can you explain how that might happen, and how I might be able to track down what would be causing this? Again, like other users I did not have this problem before 1.2.2.

[EDIT]

Ok I did some research and in some cases yes it might be due to the asymmetric routing, does that mean if I have a route through a VPN server that does not have the firewall as the gateway I can not do any packet filtering?

dilidolo

I'm having the same issue. :( :( :(

cmb

@john.grange:

Ok I did some research and in some cases yes it might be due to the asymmetric routing, does that mean if I have a route through a VPN server that does not have the firewall as the gateway I can not do any packet filtering?

Not for those networks. Check "Bypass firewall rules for traffic on the same interface " under System -> Advanced.

dilidolo

@cmb:

@john.grange:

Ok I did some research and in some cases yes it might be due to the asymmetric routing, does that mean if I have a route through a VPN server that does not have the firewall as the gateway I can not do any packet filtering?

Not for those networks. Check "Bypass firewall rules for traffic on the same interface " under System -> Advanced.

I have this selected but still same issue.

Thanks