Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    External IP source lan>wan, traffic blocked at firewall?

    Scheduled Pinned Locked Moved
    Firewalling
    2
    2
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tastyratz
      last edited by

      I recently setup PFsense to replace an aged IPCop install in production here. Mostly it has been working well for us, but we have some traffic being blocked I can't seem to resolve.

      we have an application we develop which calls home to a server. By default it is configured to use the external ip address and just makes a round trip when used internally (vs at a customer site). This application functioned fine before implementing PFsense, and it still works if you change to the internal dns name as the target manually every time.

      I am seeing some odd firewall logs. A few examples below (ip and ports have been changed to protect the innocent)

      Dec 29 11:52:30 LAN Source  192.168.0.99:80 Dest 114.129.1.2:594 TCP:PA

      Dec 29 11:37:39 Direction=OUT LAN Source  62.232.5.1:547 Dest 192.168.0.99:80 TCP:R

      information on logged blocks just comes up with:
      @4 block drop out log inet all label "Default deny rule IPv4

      The PFSense box is the gateway for the server (dedicated with dedicated internet connection)

      L3 switch is the gw for end users which go out through another internet connection/fw
      users are able to reach the pfsense box. pings in all directions flow.

      I have tried searching the forum for answers for days,
      unblocking private networks,
      creating an easyrule and then mimicking it without the IP address tiedowns,
      editing rules to pass all tcp flags and sloppy states.
      turning on nat reflection

      application is working externally.
      I am setup to pass all lan traffic and I am using multiple virtual IP's on wan.
      Why am I seeing any lan traffic blocks at ALL if I left lan wide open? Shouldn't I just be filtering wan???

      I appreciate you taking the time to read this and any suggestions you might have.

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        The problem is when you access the public IP address (which is port forwarded to the internal server in question) but from a subnet on the inside of pfSense. In theory NAT reflection should make it work.
        In practice it is usually easier to do split DNS. If pfSense is doing DNS service for your internal subnets, then add a host override to define the external name to be the internal (private) IP address of the server.
        Local clients will then connect direct to the server private IP. Clients out on the big bad internet will get the usual DNS pointing to the public IP.

        The firewall log entries you see are out-of-state packets - they are remnants of traffic that has come after some previous state has timed out or…

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • First post
          Last post