Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TCP ACK packets being blocked

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 5.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MaxFrames
      last edited by

      I've set up a pfsense machine as a transparent firewall (i.e. bridging the LAN and WAN interfaces, no routing) for a branch office.
      Since I do not need to filter outgoing traffic, I just created a LAN-side rule to allow all traffic on all protocols.
      At the same time I am filtering incoming traffic.
      All seems to work somehow (i.e. no connections fail), but there's a certain sluggishness in performance, expecially when establishing connections, so I've had a close look at the firewall logs.
      Apparently the firewall is discarding some or all TCP packets (both incoming and outgoing) with an ACK flag, i.e. for example TCP packets with the SA, RA and FA flags.

      An example log entry would be:
      [timestamp] WAN [IP address of some remote web site]:80 [IP address of one of my LAN hosts]:60665 TCP:SA
      Another example would be the opposite, i.e.
      [timestamp] [IP address of a LAN host]:60665 [IP address of some remote web site]:80 TCP:RA

      In theory, since pfsense is a stateful firewall and there is a pass-all rule in place for outgoing traffic, all traffic going from LAN to WAN should pass, as should all the WAN to LAN traffic that is related to a connection which was initiated on the LAN side (as surely is a SA packet from a web server acknowledging the SYN request).

      I've already tried the following, to no avail:

      • set the "pass-all" rule to "sloppy state" instead of "keep state"
      • set the "net.link.bridge.pfil_bridge" setting to "1" instead of default (0)
      • set the "Clear invalid DF bits instead of dropping the packets" option to "on"
        None of the above worked.

      Can you help me? Thanks

      1 Reply Last reply Reply Quote 0
      • N
        netsysadmin
        last edited by

        I was about to start a thread on this issue and then, after a search, I found yours.
        I'm having similar/identical issues.
        One difference in my implementation is that I also filter outgoing connections.

        Have you found the cause?
        Anyone can help?

        1 Reply Last reply Reply Quote 0
        • N
          netsysadmin
          last edited by

          I just read the following thread http://forum.pfsense.org/index.php/topic,25795.0.html.
          It also points to http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F, which states that "It is harmless, and does not indicate an actual blocked connection".

          However, users are still reporting problems connecting to a web site or to a mail server (on port 443).

          Anything else that can be done?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.