TCP:RA, TCP:A, TCP:PA blocked ?



  • Hi Guys,

    I have an pfsense box with 3 NICS. WAN,LAN and DMZ. The traffic works as intended, and so does the rules. But after some time, I get disconnected (LAN->DMZ traffic), with TCP:RA,A,PA showed in the firewall logs in pfsense.

    From WAN -> DMZ I have no issues...

    2_1530965232623_Capture.PNG

    Rules LAN
    1_1530965232622_Capture2.PNG
    Rules DMZ
    0_1530965232622_Capture3.PNG

    I've tried to set the firewall options to conservative, like described here, with not much luck: https://knowledge.zomers.eu/pfsense/Pages/How-to-solve-connectivity-issues-with-dropped-RA-and-PA-packets.aspx


  • Rebel Alliance Global Moderator

    Those sorts of blocks are normally a sign of asymmetrical traffic.

    Or you could have dupe packets... You understand that first hit you show is RA, or RESET ACK... This basically the client saying F OFF done.. FA would be way to normally close a tcp session. But RA is can be seen sometimes depending on how the client/application is designed..

    Are these devices wireless?

    Once a state is closed, then yeah any other packets that are not SYN would be blocked. A firewall only creates a state with the start of a conversation.. Ie the handshake syn, syn/ack

    So if firewall sees Fin and closes the state, then any other packets still being seen would be out of state and blocked.

    https://www.netgate.com/docs/pfsense/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html

    How exactly do you have these networks wired? Are they physical isolated with different switches, do devices use different gateways than pfsense IP? Are you using a dumb switch to try and isolate your vlans - maybe you have your vlans on your switch misconfigured and are running multiple layer 3s on the same layer 2?



  • Hi,
    Thanks for the reply.

    No its not wireless devices. Actually the wireless devices seams to work fine. the issue seems to be only with wired devices.

    The network look like this.

    Switch1 - Unmanaged
    Switch2 - Unmanaged
    Switch3 - Managed

    PFSense has 3 NICs, (and a WLAN). WAN,LAN,DMZ.

    PFSense(DMZ)<->Server(DMZ)
    PFSense(WAN)<->Internet
    PFSense(LAN )<->Switch2, for switch it spans to further switches.

    Workstation<->Switch1<->Switch2<->PFsense(LAN)
    Switch1<->Switch3<->Server(LAN)


  • Rebel Alliance Global Moderator

    If you wan tto work with vlans then you need a smart switch... Your dumb switch can be downsream of your smart switch and then all devices on those dumb switch would have to be on the same vlan..

    Your switch 3 needs to be directly connected to pfsense and you can run vlans on those ports, then downstream from switch 3 you can put your dumb switches on any vlan you want.. But all devices on that dumb switch will be on the same vlan.



  • Yes im aware, and thats really not the case. I only use the VLAN for IOT, so its still kinda a mystery to be why this happens. Maybe it would help if I enable "Bypass firewall rules for traffic on the same interface" ?

    The network look like this.
    So if I go to the DMZ interface to the server, from the WS. (WS->SW1->SW2->PFSense->Server), I will get disconnected suddently, with the error from the first post.

    If I go to the LAN interface on the server, I will not have this issue (traffic should never go through PFSense in that case. (WS->SW1->SW3->Server).
    0_1531574301017_simple (1).png


  • Rebel Alliance Global Moderator

    You can not do that... And you have your server connected to 2 different networks.. Both with default routes I take it.. So you talk to server from lan to dmz.. He talks back via his lan connection. ASYMMETRICAL!! Now you have problems with states on the firewall.

    How exactly is that IOT stuff being on a vlan? Doesn't work that way..

    Is your sw3 L3 and routing? If so then your lan needs to be transit network and not have hosts on it.. Because how do they get to the vlan network without talking to their gateway on pfsense? Which causes hairpin and asymmetrical traffic, etc.



  • Oh, I see! Thx!

    There is only 1 route configured on the server (default route), which is towards the LAN connection..
    I thought it would take the same route back it came from, unless an route told it otherwise. :)



  • @lbm_ said in TCP:RA, TCP:A, TCP:PA blocked ?:

    Oh, I see! Thx!

    There is only 1 route configured on the server (default route), which is towards the LAN connection..
    I thought it would take the same route back it came from, unless an route told it otherwise. :)

    Every node in a network does their routing 100% autonomously without consulting anyone else and routing is always stateless meaning there is no memory of the previous packets that arrived or if they were part of an active connection or not.


  • Rebel Alliance Global Moderator

    Even if you have only 1 default route. When I see traffic from 192.168.x and I have an an interface in 192.168.x - then that is where you respond with.



  • @johnpoz said in TCP:RA, TCP:A, TCP:PA blocked ?:

    Even if you have only 1 default route. When I see traffic from 192.168.x and I have an an interface in 192.168.x - then that is where you respond with.

    Thx, it makes sense. :)

    Are there any way to solve this ? Its not an big issue at all, im just curious.