Legitimate traffic being blocked - shows instantly as TCP-FA and TCP-PA

Andrew453

Hi.

Since upgrading to 2.4, I have a problem where I'm seeing lots of TCP-FA/TCP-PA blocked traffic in the firewall. I've read all the other posts about this being out-of-state traffic, but I don't think it is here - the reason being that certain applications are not working.

For example, I try to get an app to connect (e.g. the YouView app on Android, or Google Play to update apps) and it won't connect at all or only connects sporadically.  Instead, I almost instantly get loads of TCP-FA and TCP-PA traffic.  So this doesn't appear to be out-of-state traffic which ordinarily would arrive some time after (i.e. once the state has been purged).

I didn't experience this issue under 2.3, and I have changed the config other than upgrading it.  Not sure if anything has changed in the way that the state table operates?

Any ideas please?

Example firewall log below.

Thank you!

Andrew

Nov 4 22:10:24 	LAN 	Default deny rule IPv4 (1000000103) 	192.168.111.2:49839		172.217.23.14:80  lhr35s01-in-f14.1e100.net		TCP:FPA
	Nov 4 22:10:21 	LAN 	Default deny rule IPv4 (1000000103) 	192.168.111.2:49839		172.217.23.14:80  lhr35s01-in-f14.1e100.net		TCP:FA
	Nov 4 22:10:17 	LAN 	Default deny rule IPv4 (1000000103) 	192.168.111.2:49839		172.217.23.14:80  lhr35s01-in-f14.1e100.net		TCP:PA
	Nov 4 22:10:14 	LAN 	Default deny rule IPv4 (1000000103) 	192.168.111.2:49839		172.217.23.14:80  lhr35s01-in-f14.1e100.net		TCP:PA
	Nov 4 22:10:12 	LAN 	Default deny rule IPv4 (1000000103) 	192.168.111.2:49839		172.217.23.14:80 lhr35s01-in-f14.1e100.net		TCP:PA 

kejianshi

Android, or Google Play

Both android based…

Look in system , advanced, firewall and nat > IP Do-Not-Fragment compatibility

See if checking that box fixes your out of state / fragmented packet issue.

Andrew453

Thanks for your reply.  I made that change, but am still experiencing the same issue.

kejianshi

Where are these devices in relation to the pfsense?  how are they connected?  Describe every little hop needed for your device to reach the pfsense please.

Andrew453

The devices connect to my main router via wireless.

The router's WAN goes to pfSense's LAN.

pfSense's WAN goes out to a VDSL modem.

So I'm double NAT'ted, which I know is not ideal but as I say it worked fine before I upgraded pfSense to 2.4.

kejianshi

What is the WAN IP of Pfsense?

What is the LAN IP of Pfsense?

What is the WAN IP of the other router?

What is the LAN IP of the other router?

Also, can your other router be configured as a wireless switch (No routing and no DHCP)?

Andrew453

…. on further investigation, I think it might have something to do with pfBlockerNG.  If it hits on one of the pfB blocklists, there's an option to drop the state.  I think that's what might be happening.

I'll investigate tomorrow.

kejianshi

pfBlockerNG - Sure is coming up a lot in the "please help" category.