Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN default block rule messing with internal host-to-host traffic

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      survive
      last edited by

      Greetings everyone,

      I'm running a pfsense 1.2.1 firewall at home. I've been running this particular install since early September using the beta builds and RC releases.

      My problem is that some traffic from internal hosts to internal hosts are being blocked by the pfsense box. Originally the problem was that one of my domain computers couldn't see my domain controller. I checked out that boxes event logs and found that it started having problems around Sept. 14th. I've been working on that problem since. Then a couple of weeks ago I got a new Directv HD DVR that has networking capabilities that I wanted to get on the network. Got it set up and streaming video from the internet, but it also had problems seeing my file server that is on an internal address. What's interesting is both boxes get IP addresses via DHCP from the exact same box they can't talk to over IP.

      I didn't think that the 2 problems were related until last night when I checked my pfsense firewall logs and say that both computers were being blocked by pfsense! The logs indicate that they are being blocked on the LAN interface and when I click on the red "X" box I'm told that "@70 block drop in log quick all label "Default deny rule"" is the rule that actually made the traffic get blocked.

      What's weird is that those are the only 2 instances of trouble I see. I don't have any trouble connecting to anything on the network from my workstation. I have a couple of rules to pass traffic on the WAN side of the firewall but I only have the "Default LAN -> any" rule set on the LAN side.

      Can anyone explain why the default block rule is blocking some of my traffic?

      Thank you!

      -Will

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        Traffic from one host to another host on same network is never blocked by the firewall because the hosts can talk to each other directly and the default gateway is not used. Are you mixing two different ip ranges on the LAN interface perhaps?

        1 Reply Last reply Reply Quote 0
        • S
          survive
          last edited by

          Hello,

          Nope, all the internal computers are in the same /27 network my ISP assigned me, yet the blocks are right there in the logs under "Diagnostics: System logs: Firewall".

          The only things I see in the firewall log that are blocked on the LAN interface are computers from the inside talking to computers on the inside…check out the attached pic!

          -Will

          fwlog.png
          fwlog.png_thumb

          1 Reply Last reply Reply Quote 0
          • S
            survive
            last edited by

            Hello,

            I think I have figured it out.

            Turns out I had the wrong subnet mask on the computer that was the source in the logs. Makes sense when you think about it…the 2 computers have IP's above 16 (my IP's are XXX.XXX.XXX.0-32) and with a .240 subnet mask the source computer is going to send traffic to the router if it's above .16!

            I corrected the subnet mask on the blocked computer and was able to see it from both locations.

            Big thanks to kpa for making me think about it a little more.

            -Will

            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by

              Np at all  :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.