Default deny rule IPv4 (1000000103) on LAN for no reason



  • I have outbound LAN rules to allow traffic going to 80/tcp and 443/tcp, for example.  I'm getting intermittent blocked outbound packets that are legitimate 443/tcp traffic that should definitely meet my Allow rule for 443/tcp.

    It's all TCP:FA and TCP:FPA packets.

    I must be missing something, but I can't wrap my mind around it.  Something to do with SPI stuff?  In other words, there wasn't an existing session established, so the FA and FPA packets were dropped?  I don't see any TCP:Syn packets being blocked.





  • @webtyro:

    https://forum.pfsense.org/index.php?topic=39960.0
    Your not the first to ask. ;)

    Thanks.  That thread confirmed it's out-of-state traffic.  It still doesn't explain how to fix the issue to allow the traffic to…not be out-of-state.  'Cuz right now certain applications are intermittently blocked.  Trying to get to root cause.



  • It still doesn't explain how to fix the issue to allow the traffic to…not be out-of-state.

    There is no issue in need of fixing with out-of-state traffic.

    'Cuz right now certain applications are intermittently blocked.

    You know this because you're seeing noise in the logs, or because your application is not working?

    Trying to get to root cause.

    The root cause of traffic being blocked on LAN when there is an Allow All rule is usually that pfSense blocks the FIN ACK response to pfSense FIN session teardown request.  It's like me telling you goodbye and then ignoring you.  Your attempt to say goodbye back to me is considered an unsolicited inbound request (since we have considered the session closed so you are trying to start a new session from our point of view), and blocked by the default WAN Deny rule.


  • Rebel Alliance Global Moderator

    There are a few things you can do to try and stop such traffic.. Look to what is causing it - is it say a phone or something that is switching from cell to wifi and trying to reuse the same session it had while on cell?

    Is it a bad acting app?

    If you don't like to see such noise - you can set pfsense not to log default rule.  And if you just want to see syn traffic that would be blocked create a block rule on the bottom and set block only syn packets and log them..  This way stuff that doesn't make it through your rules and is syn would be logged, stuff that is blocked because its out of state would just be blocked and not logged.



  • @KOM:

    'Cuz right now certain applications are intermittently blocked.

    You know this because you're seeing noise in the logs, or because your application is not working?

    The application is not working and times out.  The app logs state, "Unable to contact server."  I then check the pfSense logs and see the blocked outbound FinAck packets and corresponds to the same timestamp (and URL) as when the application times out and tries again minutes later.

    The noise doesn't bother me at all; it's the actual app.  App runs on an end user laptop that has a stable WLAN connection.

    It's not the end of the world, just annoying.  The app usually works upon a 2nd or 3rd connection attempt.

    I may be confusing chicken and egg here:  maybe the application servers really are unstable, and the app is legitimately sending the FinAck packets outbound, which I shouldn't worry about.  So the root cause would be the application servers.

    Thanks for the analysis guys.  I'll brush up on Networking 101.



  • Do a packet capture to see what is really going on, firewall logs don't tell you much of what the actual protocol exchange is between the client and the server.


  • Rebel Alliance Global Moderator

    So this application.. Are you restarting it when it doesn't work.. So once it starts working does it stop working all of sudden?

    Its quite possible if the application tried to use an old session the firewall had killed it on timeout when it saw no traffic - and now the application vs sending syn to start a new state on the firewall it just tried to pick up the conversation where it left off.  Firewall says no no state for that traffic.