Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limiter Host Blocked From Leaving LAN ; TCP:SA Blocked

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      interkrome
      last edited by

      My Setup :

      Here is my setup :

      Router AN5506-04 - PPPOE (dynamic) - Pfsense - switch - LAN

      Rules :

      WAN

      IPv4+6 TCP/UDP * * * * * none

      LAN

      IPv4+6 * PenaltyBox * * * * none
      IPv4+6 * LAN net                 * * * * none

      Host in PenaltyBox (assigned with limiter In/Out) recorded a lot of TCP : SA blocked.

      Direction=OUT LAN 203.114.28.25:80 192.168.3.83:56445 TCP:SA block/1000000104
      Direction=OUT LAN 203.114.28.25:80 192.168.3.83:56444 TCP:SA block/1000000104
      Direction=OUT LAN 216.58.196.206:80 192.168.3.83:56414 TCP:SA block/1000000104

      How can i fix this?

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        1. Use screenshots next time.  Much easier to read.

        2. Get rid of that WAN rule ASAP!  You should not have rules on WAN unless you are allowing unsolicited access inbound, like a port-forwarded web server, for example.

        3. That may be out of state traffic being blocked by the default deny rule.  Are you experiencing any actual usage issues?

        1 Reply Last reply Reply Quote 0
        • H Offline
          Harvy66
          last edited by

          What rule is blocking them? I assume the default, but figured it's worth asking.

          1 Reply Last reply Reply Quote 0
          • I Offline
            interkrome
            last edited by

            @KOM:

            1. Use screenshots next time.  Much easier to read.

            2. Get rid of that WAN rule ASAP!  You should not have rules on WAN unless you are allowing unsolicited access inbound, like a port-forwarded web server, for example.

            3. That may be out of state traffic being blocked by the default deny rule.  Are you experiencing any actual usage issues?

            1)Thanks for the tips.
            2) Removed
            3) Not able to access IPv6-only location.

            1 Reply Last reply Reply Quote 0
            • I Offline
              interkrome
              last edited by

              @Harvy66:

              What rule is blocking them? I assume the default, but figured it's worth asking.

              Yes. Default blocking. But once i removed the IN/OUT limit, no block recorded.

              DefaultBlock.JPG
              DefaultBlock.JPG_thumb

              1 Reply Last reply Reply Quote 0
              • KOMK Offline
                KOM
                last edited by

                It's usually out of state traffic when you see stuff blocked when there are no blocks other than default deny.

                https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

                1 Reply Last reply Reply Quote 0
                • I Offline
                  interkrome
                  last edited by

                  @KOM:

                  It's usually out of state traffic when you see stuff blocked when there are no blocks other than default deny.

                  https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

                  Usually it was. But this time i doubt that since it's only applicable to those ip that i put limiter. Any idea?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.