Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    LAN interface has default allow any rule but 'Default deny rule IPv4' blocking

    Firewalling
    2
    3
    4838
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FromOZ last edited by

      Hi - I have recently purchased Netgate SG-4860 configured in fairly basic setup: Internet <-> WAN Int. <-> LAN Int. <-> Switch <-> LAN network.

      The system has the default rules on the WAN (block bogons) and LAN interfaces. Specifically on the LAN interface the rules — 'Default allow LAN to any rule' and 'Default allow LAN IPv6 to any rule'.

      I can get out to the Internet. However looking at the logs I see regularly log entries like this:

      X  Mar 10 09:55:21 LAN Default deny rule IPv4 (1000000103)   192.168.1.100:54132   17.56.136.164:993 TCP:RA

      which shows traffic arriving at the LAN interface, coming from the LAN (192.168.1.0/24) to a host on the internet, being blocked.

      The 'default deny' rule is not visible in the UI, I am assuming it is the rule of last resort blocking anything not explicitly allowed (standard sort of firewall behaviour). However given that there is the default allow rule (which is visible in the UI) defined on the LAN interface…

      IPv4 * LAN net * * * * none Default allow LAN to any rule

      which is basically wide open, then why is select traffic being blocked. LAN net is one of the default macros which is, I believe, taken from the network setting on the LAN interface which in this case is

      192.168.1.1            /24

      192.168.1.1 being the LAN interface IP, /24 being CIDR subnet.

      So questions:

      • Why would this specific traffic be being blocked

      • and why does pfSense not follow the allow all rule (I am assuming obviously that the deny rule comes after the allow rule).

      1 Reply Last reply Reply Quote 1
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        "TCP:RA"

        https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 22.05 | Lab VMs CE 2.6, 2.7

        1 Reply Last reply Reply Quote 1
        • F
          FromOZ last edited by

          @johnpoz:

          "TCP:RA"

          https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

          Got it, thanks - the sessions logged are to IMAP at Apple, iCloud mail. There's also a bunch to Amazon Web Services. In all TCP flags R, A, F & P are seen.

          I found this article:

          https://knowledge.zomers.eu/pfsense/Pages/How-to-solve-connectivity-issues-with-dropped-RA-and-PA-packets.aspx

          my 'Firewall Optimization Options' setting is currently the default of 'Normal', I think I'll leave it at that as I don't see any difficulty in reaching (raising connection with) those hosts, as the doc says these will likely be packets from expired state sessions.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post