[Firewall rule] LAN -> LAN going also throug WAN instead of LAN only



  • Hello,

    I've just setup a new pfsense box. Everything running smoothly:
    WAN: (DHCP) 192.168.1.46/24 -> Gateway 192.168.1.254
    LAN: 192.168.20.254/24

    WAN Firewall Rules:
      Block private networks,
      Block bogon networks,
      Allow all ICMP from anywhere to anywhere

    LAN Firewall Rules:
      Allow ipv4 anything from anywhere to anywhere

    I've just added some syslog in pfsense to a LAN server (192.168.20.13:5104)
    And trying to see if my server was receiving the syslog and looking at firewall logs I saw that:

    Status/System/Logs/Firewall/Normal View
    (interface) WAN |  Block ULA networks from WAN block fc00::/7 (12000)  |  (source) 192.168.20.254:514 | (destination) 192.168.20.13:5140 | (proto) UDP

    So looks like pfsense is trying to send the syslog to the good address but  throught WAN instead of LAN and thus all packet are blocked :/

    Am I missing something???
    Do I need to add some kind of route to explain that traffic from pfsense to LAN must pass to LAN interface??

    It must be something very simple that I'm missing there…
    Thanks for your help!













  • I've also tryed to SSH to pfsense and then SSH back to my syslog server with success. So must be a configuration issue in syslog settings inside pfsense, where the syslog server in pfsense sends its logs through WAN instead of LAN ?? Is this possible??



  • I've just disabled syslog and I see that for example the firewall logs reports that WAN blocked access 192.168.20.13:443 like if my traffic going from my LAN pc to pfsense interface was also going to WAN.

    I mean I have access to web interface through LAN, but I don't undersatnd why a block ruel is trigered on WAN …

    I'm probably missing a simple thing, I probably don't understand some routing process inside of pfsense of a misconfiguration somewhere.

    I probably can remove all the noise unticking "Block private networks and loopback addresses" on WAN interface but not sure it is a good idea.

    Any tought?



  • To add more infos:
    When I disable "Block private networks and loopback addresses" the packet are blocket with rule "(1000002620) " triggered.
    Perhaps related pfBlocker.
    I also have suricata running in inline mode, but i don't think it is related.


Log in to reply