I have disabled all rules in firewall, but still can tracert from LAN

  • I have disabled all positive rules in firewall, and I can't browse Web, but I still can


    from LAN machine and receive 3 hops from my ISP.

    How is this possible?

  • LAYER 8 Netgate

    Post your LAN rules.

  • All were disabled (dimmed), except anti-lockout rule

    Currently one additional rule enabled, which I use to browse Web

    I can disable it and have situation again.

  • LAYER 8 Netgate

    Stop messing around and show the rules in the state they are that you say they are misbehaving.

    Show the states for the traceroutes.

    Look at the states using pfctl -vvss to see what rule is passing the traffic.

    Post that.

  • Thank you, but I prefer rod over fish. Where/how to find undesired state in the ouput of pfctl -vvss?

  • I found the follwing in output:

    re2 icmp <-      0:0
      age 00:08:30, expires in 00:00:05, 192:7 pkts, 14400:584 bytes, rule 117
      id: 010000005ab2fc3e creatorid: 6261d0b3
    re0 icmp ( ->      0:0
      age 00:08:30, expires in 00:00:05, 377:4 pkts, 28188:416 bytes, rule 94
      id: 010000005ab2fc3f creatorid: 6261d0b3 is new address behind VPN I wish to ping and which is pingable from pfSense.

    re2 is LAN and re0 is first WAN which is undesired.

  • LAYER 8 Netgate

    For whatever reason that traffic is not interesting to the VPN.

    Common causes:

    You are policy routing the traffic out WAN by setting a gateway on a rule that matches. This overrides both the routing table and IPsec selectors.


    The traffic does not match the traffic selector.

    From that output, rule 117 passed the ping into LAN

    You can match that rule in the rule set:

    pfctl -vvsr | grep -A3 '^@117'

Log in to reply