LAN interface has default allow any rule but 'Default deny rule IPv4' blocking
-
Hi - I have recently purchased Netgate SG-4860 configured in fairly basic setup: Internet <-> WAN Int. <-> LAN Int. <-> Switch <-> LAN network.
The system has the default rules on the WAN (block bogons) and LAN interfaces. Specifically on the LAN interface the rules — 'Default allow LAN to any rule' and 'Default allow LAN IPv6 to any rule'.
I can get out to the Internet. However looking at the logs I see regularly log entries like this:
X Mar 10 09:55:21 LAN Default deny rule IPv4 (1000000103) 192.168.1.100:54132 17.56.136.164:993 TCP:RA
which shows traffic arriving at the LAN interface, coming from the LAN (192.168.1.0/24) to a host on the internet, being blocked.
The 'default deny' rule is not visible in the UI, I am assuming it is the rule of last resort blocking anything not explicitly allowed (standard sort of firewall behaviour). However given that there is the default allow rule (which is visible in the UI) defined on the LAN interface…
IPv4 * LAN net * * * * none Default allow LAN to any rule
which is basically wide open, then why is select traffic being blocked. LAN net is one of the default macros which is, I believe, taken from the network setting on the LAN interface which in this case is
192.168.1.1 /24
192.168.1.1 being the LAN interface IP, /24 being CIDR subnet.
So questions:
-
Why would this specific traffic be being blocked
-
and why does pfSense not follow the allow all rule (I am assuming obviously that the deny rule comes after the allow rule).
-
-
"TCP:RA"
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection
-
"TCP:RA"
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection
Got it, thanks - the sessions logged are to IMAP at Apple, iCloud mail. There's also a bunch to Amazon Web Services. In all TCP flags R, A, F & P are seen.
I found this article:
https://knowledge.zomers.eu/pfsense/Pages/How-to-solve-connectivity-issues-with-dropped-RA-and-PA-packets.aspx
my 'Firewall Optimization Options' setting is currently the default of 'Normal', I think I'll leave it at that as I don't see any difficulty in reaching (raising connection with) those hosts, as the doc says these will likely be packets from expired state sessions.