The firewall is blocking allowed connections

decibel83

Hi.

I have a strange problem that I didn't manage in solving it.
Some allowed traffic is blocked by the firewall and I see the blocked lines in the firewalling logs.
Every attempt to allow this trafic was useless.

I read this document (http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F), but I haven't solved my problem yet.

The strange thing is that I have this problem only sometimes, and not for all trafic for the same rules.
I have the most recent version of pfSense (2.0.2), and another strange thing is that I tried with the old version 1.2 and it works without any problem.

You can see the blocked logs in the attached screenshot.

Could you help me, please?

Thank you very much!
Bye.
![Schermata 2013-03-04 alle 17.58.05.png_thumb](/public/imported_attachments/1/Schermata 2013-03-04 alle 17.58.05.png_thumb)
![Schermata 2013-03-04 alle 17.58.05.png](/public/imported_attachments/1/Schermata 2013-03-04 alle 17.58.05.png)

kelsen

Looks like the packet enter and leaves the same interface, try enable this option "Bypass firewall rules for traffic on the same interface" on system -> advanced -> firewall/nat.
If it doesn't work, explain your network, interface configuration, rules and so on.

cubix85

Now we have separated the two networks: one physical interface for network 192.168.46.0/24 (NET A) and one physical interface for network 192.168.10.0/24 (NET B)
Firewall rules for NET B are all open, all the traffic can pass through this interface (see attachment).

In the log we still have blocked traffic to or from NET B (see attachment)

We don't understand why pfSense block this traffic…

netBfwrules.jpg_thumb

fwblockedtraffic.jpg_thumb

Klaws

The firewall log can show you which rule blockled the traffic. Click on the red "block icon" in the Act column. What does it say?

cubix85

It says "Default deny rule" (translated in english) the one you can see from the screenshot I posted in the last post.
But in the firewalling rule, the first one is a "Default allow all".

Klaws

It looks like all blocked packets are ACKs. So other traffic seems to get through…interesting.

Do you redirect ACKs somehow?

cubix85

No redirection…none strange configurations...

At the moment I only want to route all the traffic from one NET to the other one and check that all works well. Then I will start to block something...

kelsen

the netmask is consistent with the firewall? other traffic pass through firewall?

cubix85

what do you mean with "the netmask is consistent with the firewall?"

I have set the interfaces in this way: 192.168.46.254/24 and 192.168.10.8/24, is it right?

Yes, traffic on the other interface works correctly.

kelsen

I mean, the workstation and firewall have same netmask.

Yes, traffic on the other interface works correctly.

I'm asking if some type of traffic pass through those networks or none at all.

cubix85

Yes, most of the traffic pass through these interface, but sometimes I found blocked traffic in the logs…

But the strange thing is that the traffic blocked ususally is passed :o

Maybe lost packets that reach the firewall and are discarded?

kelsen

Im not sure, but I think those flags, FPA,PA isn't normal. Maybe is what you told, or a software poorly done.
This blocked traffic impact something or not? if it does not, don't worry too much.

cubix85

I don't know why these flags…

The blocked traffic is related to the Sophos antivirus updates, so I hope this software wasn't poorly.

Usually there are no problems, but when it occurs the blocking of these packages, there are significant delays on the AV updates and sometimes isn't possible to connect the server.