Firewall blocking some LAN to LAN traffic
-
I have two networks connected to the Internet thru PFSense that also talk with each other.
PFSense has two internet connects
LAN 1 attached to pfsense 192.168.1.0/24
LAN 2 is connected to LAN 1
LAN 2 is 192.168.11.0/24LAN 2 Router is 192.168.1.251
PFSense has a route/gateway setup to pass all traffic for 192.168.11.0/24 to 192.168.1.251Everything works, I can surf the internet from both LANS and that is fine. I can connect from the Internet and RDP to a computer in the 192.168.11.0/24 subnet.
I can't RDP for long from 192.168.1.0/24 subnet to 192.168.11.0/24 subnet the connection gets blocked by the firewall, then reconnects then blocks then reconnects and on and on. So it kind of works then not…
These are the log entries.
Feb 29 13:36:47 LAN 192.168.1.173:62354 192.168.11.197:3389 TCP:A Feb 29 13:36:49 LAN 192.168.1.173:62354 192.168.11.197:3389 TCP:A Feb 29 13:36:51 LAN 192.168.1.173:62354 192.168.11.197:3389
when I click the red X, It says the "Default deny rule"
I must be missing something simple?
-
Give us a network map.
-
-
Just to be clear, what is the LAN IP on PFsense? Regarding "switch 192.168.1.0/24" are you saying that it's a level 3 switch or just stating the LAN subnet coming from PFsense. I'm guessing it's just the subnet, but let's clarify and add all the details.
After that, I would say:
1. give us your firewall rules that allow traffic in both directions along with PFsense's routing table
2. give us the routing table on ubiquiti loco (router mode) sitting on 192.168.1.251 -
LAN IP is 192.168.1.1
Its one physical switch that is represented
LAN Rules
Internal is an alias for 192.168.1 and 192.168.11 subnetsID Proto Source Port Destination Port Gateway Queue Schedule Description * * * LAN Address 22,80,443 * * Anti-Lockout Rule * 192.168.11.0/24 * * * * none Default allow Nebar to any rule * LAN net * 192.168.11.0/24 * Nebar none Default allow LAN to any rule TCP Internal * * 443 (HTTPS) LoadBalance_Secure none SSL Static * Internal * * * LoadBalance_Night none Night Default allow LAN to any rule * Internal * * * LoadBalance none Default allow LAN to any rule * * * * * * none Pass All
PFSense Route Table
Destination Gateway Flags Refs Use Mtu Netif Expire default 68.178.124.1 UGS 0 395589 1500 vr2 10.5.5.0/24 link#2 U 0 907008 1500 vr1 10.5.5.2 00:0d:b9:26:5d:ad UHS 0 744 1500 vr1 10.5.5.3 00:0d:b9:26:5d:ad UHS 0 732 1500 vr1 10.5.5.221 link#2 UHS 0 207 16384 lo0 68.178.124.0/24 link#3 U 0 62628 1500 vr2 68.178.124.189 link#3 UHS 0 3 16384 lo0 127.0.0.1 link#5 UH 0 464 16384 lo0 192.168.1.0/24 link#1 U 0 37586441 1500 vr0 192.168.1.1 link#1 UHS 0 0 16384 lo0 192.168.2.0/24 10.5.5.1 UGS 0 1189298 1500 vr1 192.168.11.0/24 192.168.1.251 UGS 0 1309881 1500 vr0
more logs of SOME traffic being blocked from 192.168.1.0 subnet to 192.168.11.0 subnet (not all traffic is blocked)
Mar 1 06:18:50 LAN 192.168.1.53:515 192.168.11.250:731 TCP:SA Mar 1 06:19:50 LAN 192.168.1.53:515 192.168.11.250:731 TCP:SA Mar 1 06:19:56 LAN 192.168.1.53:515 192.168.11.250:731 TCP:SA Mar 1 06:21:00 LAN 192.168.1.53:515 192.168.11.250:731 TCP:SA Mar 1 06:22:04 LAN 192.168.1.53:515 192.168.11.250:731 TCP:SA Mar 1 06:23:08 LAN 192.168.1.53:515 192.168.11.250:731 TCP:SA
Loco Route Table
192.168.1.0 0.0.0.0 255.255.255.0 WLAN 192.168.11.0 0.0.0.0 255.255.255.0 LAN 0.0.0.0 192.168.1.1 0.0.0.0 WLAN
-
Can't statefully filter asymmetrically routed traffic. System>Advanced, Firewall/NAT, check "Bypass firewall rules for traffic on the same interface"