Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSese block HTTP response

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yoon
      last edited by

      My network have 2 gateway coure router and pfSense

      Everything is fine if server point gateway to core router.

      [HTTP Request]
      client –> router --> server
      [HTTP Response]
      server –> router --> client

      Problem occure when change gateway to pfSense. Any HTTP response has been blocked

      [HTTP Request]
      client –> router --> server
      [HTTP Response]
      server –> pfSense --> router --> client

      I try to add pfSense rule to allow traffic tcp:server:80 --> any but not success  ???

      Thank for advice.
      Yoon

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Your second diagram makes no sense, if you changed the clients gateway to pfsense why would you show it talking to only the router on request?

        And then why would it come back through pfsense and then the router before going to client?

        How exactly you have your network setup would be helpful.  Is router and pfsense inline?  Are they just routing or natting?  Is one of them bridging vs routing? etc.

        From your brief description I would take it your router and pfsense have either different wan connections or have different IPs on the same wan network and then different IPs on the same lan network?

        You normally do not want traffic taking different paths, ie if traffic left your router and then response hit the wan interface of pfsense.  pfsense would not have a state of your request to know where to send the response packet for your request so it would be dropped, unless you have a specific foward that said send traffic from knownip source port 80 o ALL dst ports to client IP..  How would pfsense know the dst port of the response from the http server that went out your router?

        You do understand that the response back from your http server your trying to talk to would be from src 80 and the dst port would be the random >1024 that your client used to make the request so allowing 80 into your pfsense not going to help any.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          You're creating a mess there with trying to statefully firewall asymmetrically routed traffic (with any firewall), you can't add rules to allow that. Firewalls must see both directions to be able to properly filter. No idea why you would want to have that kind of setup, so not sure on what alternative to suggest that's sane.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.