Firewall blocks intermittent LAN -> WAN traffic

  • I recently switched to pfSense from DD-WRT and am having some problems.
    Lots of traffic from the LAN to the internet is being blocked by the firewall by the "Default deny rule".

    I don't understand why this is happening, I've searched around and most topics link to this ("blocked"_for_traffic_from_a_legitimate_connection) page. My understanding is that in this scenario the packets are being logged as blocked but are in fact correctly being routed. In my case there are actually connectivity issues.

    Can anyone point me in the correct direction to get this working? I've attached screenshots of the logs and firewall rules.

  • Is the 2600:1010:8048:c052:: still your LAN IPv6 subnet? How is your LAN IPv6 configured?

    The fe80 blocks are correct given your firewall rules and general sanity, link local IPs can't be used to communicate to the Internet. That might just be because the public v6 can't get out.

  • 2600:1010:8048:c052:: is not part of my LAN. IPv6 is configured as a 6in4 tunnel to my ISP

    I also pass all IPv6 tests.

    Is it normal for fe80 addresses to attempt to make requests like these?

  • That explains why then. Something on your LAN has that 2600:1010:8048:c052 IP assigned, which is being blocked because it's not "LAN net".

    It's not typical to have something initiating Internet-bound traffic from a link local IP. Guessing that might be the same host, it's failing back to trying that because its public v6 IP isn't working.

  • So that should explain one host having problems, but every computer on my network is having problems connecting to the internet. Including IPv4 only traffic.

  • That's not related to the blocked traffic shown there. DNS on clients work? Can they ping out? What's traceroute out look like?

  • I tested disabling IPv6 and running the firewall for a day.

    Overall the network seemed better, but I'm still getting logs of blocked packets. Do these look like they fall into this category"blocked"_for_traffic_from_a_legitimate_connection ?

    Log is attached.

  • LAYER 8 Global Moderator

    Yes all of those blocks are out of STATE..  They are not syn packets being blocked.

  • Not sure if what I experienced was exactly the same as you but it appears to be similar.  The firewall blocks were cluttering my syslog server.  Ended up just unchecking "Log packets matched from the default block rules in the ruleset" located at Status->System Logs, Settings (status_logs_settings.php) and that stopped the spamming in the firewall logs for me.

  • This did not solve the problem, I'm still having intermittent internet loss and extremely slow speeds.
    It is hard to debug this because due to it being intermittent. Switching to DD-WRT always imitatively fixes the issues.

  • Attached is another screenshot of the log.

    Could there be anything other than the firewall that could be causing the problems I'm running into?

Log in to reply