Blocking traffic with "any 2 any" rule



  • Hi all,

    I've a pfsense 2.3.3-p1 with a wan, a lan interface and a openvpn tunnel to another pfsense (2.3.1).

    Some of my packets from the remote site were blocked by the "Default deny rule IPv4" … but I've set the "any 2 any" rule on all interfaces (expect wan).
    The OpenVPN tunnel is up and running. I've attached some images with the configuration.

    Any ideas why pfsense is blocking my packets or how to analyse that?
    ![Firewall blocking.PNG](/public/imported_attachments/1/Firewall blocking.PNG)
    ![Firewall blocking.PNG_thumb](/public/imported_attachments/1/Firewall blocking.PNG_thumb)
    ![Firewall rule LAN.PNG](/public/imported_attachments/1/Firewall rule LAN.PNG)
    ![Firewall rule LAN.PNG_thumb](/public/imported_attachments/1/Firewall rule LAN.PNG_thumb)
    ![Firewall rule OpenVPN.PNG](/public/imported_attachments/1/Firewall rule OpenVPN.PNG)
    ![Firewall rule OpenVPN.PNG_thumb](/public/imported_attachments/1/Firewall rule OpenVPN.PNG_thumb)
    ![Firewall rule OVPN.PNG](/public/imported_attachments/1/Firewall rule OVPN.PNG)
    ![Firewall rule OVPN.PNG_thumb](/public/imported_attachments/1/Firewall rule OVPN.PNG_thumb)


  • Netgate

    How about posting the entire block log entry so we can see what was actually blocked.

    It was probably this:

    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection



  • Hi Derelict,

    Please find the log attached.
    The test connection will be established between the internal ip 172.16.4.82 (host in the lan network on the remote site) and the 192.168.203.200 (pfsense lan ip)

    Kind regards

    ![Firewall Log.PNG](/public/imported_attachments/1/Firewall Log.PNG)
    ![Firewall Log.PNG_thumb](/public/imported_attachments/1/Firewall Log.PNG_thumb)


  • Banned

    I don't get it? The only thing blocked there is on your WAN, which you didn't post your rules for.

    The line you highlighted is being passed and logged because you told it to log all of your passed traffic on that interface.


  • Netgate



  • Hey,

    Sorry for that.
    Please find the real log attached.

    Kind regards

    ![Firewall Log.jpg](/public/imported_attachments/1/Firewall Log.jpg)
    ![Firewall Log.jpg_thumb](/public/imported_attachments/1/Firewall Log.jpg_thumb)


  • Banned

    It would help if you show which rules are blocking the traffic in question. I think you change it in settings on the log screen under a dropdown.



  • Hi pfBasic,

    How can I look for that? The rules are still the same as shown on the pictures in the first post.

    Kind regards


  • Netgate

    Just click the red x on the log page. It will tell you which rule blocked it.



  • The rule that triggered this action is:
    
    @6(1000000104) block drop out log inet all label "Default deny rule IPv4"
    


  • Possibli it's a hardware problem …
    I really don't know why ... but the problem-box is located in Japan ... if I test with another box here in Europe all is working fine (same config).

    We'll try to change the pfsense hardware onsite. I'll keep you posted.

    Kind regards


  • Netgate

    Probably out-of-state traffic. If not that, then asymmetric routing (which can also generate out-of-state traffic) Those are not SYNs being blocked.

    I have posted that link at least twice already.

    Here it is again. Please read it.

    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection

    Is something not working or are there just log entries?