Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Please help me understand why outbound blocks are occuring.

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 2 Posters 471 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mervincm
      last edited by mervincm

      In my Dashboard, Firewall logs, I see blocked packets I didn't expect to see. I filter on IF to LAN and to block.

      source IP are my internal devices, destination IPs are private Internet hosted devices. so this seems to be outbound blocking. But why?

      83106e4a-64a7-43db-b8b0-d831aece8d5c-image.png

      Firewall, Rules, LAN only lists the Antilockout rule, and the default allow LAN to any ip4 / ip6 rules.
      click on block icon tells me the rule that triggered the action was Default deny rule IPV4

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Probably out of state packets. Post the whole log screen.

        1 Reply Last reply Reply Quote 1
        • M
          mervincm
          last edited by

          That is the whole screen from the dashboard. I can post from the system log screen if that is helpful.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Yes, System Logs > Firewall gives more information. Here you're missing the protocol and the TCP flag.

            1 Reply Last reply Reply Quote 1
            • M
              mervincm
              last edited by mervincm

              Status, System Logs, Firewall, normal view. the vast majority are WAN and inbound to my public ip, and those make sense. these are a few samples with LAN as the interface.

              Oct 29 15:32:03	LAN	Default deny rule IPv4 (1000000103)	  10.0.3.5:62201	  142.229.173.56:443	TCP:FPA
Oct 29 15:32:46	LAN	Default deny rule IPv4 (1000000103)	  10.0.3.5:62201	  142.229.173.56:443	TCP:FPA
Oct 29 15:31:17	LAN	Default deny rule IPv4 (1000000103)	  10.0.0.11:39424	  68.11.153.231:42003	TCP:PA

              They are all TCP, the flag is always RA, FA, PA, or FPA that I have found

              M 1 Reply Last reply Reply Quote 0
              • M
                mervincm @mervincm
                last edited by

                @mervincm
                PS With your hint of the importance of the protocol + flag , my forum searching now is revealing much better results, thank you for that.

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  There is also a filter function available at System Logs > Firewall.

                  Packets with such TCP flags are only logged if pfSense has no state for it in its state table. So may already it has already deletet the connection.
                  If there is no problem on the LAN devices with that like slow site reloading you may ignore that. The device will open a new connection.
                  Otherwise it could also indicate an asymmetric routing.

                  The connection timeout is affected by "Firewall Optimization Options" in System > Advanced > Firewall & NAT.
                  It is also possible to configure individual timeouts for different packet types at this page.

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.