TCP:RA, TCP:A, TCP:PA blocked ?

lbm_

Hi Guys,

I have an pfsense box with 3 NICS. WAN,LAN and DMZ. The traffic works as intended, and so does the rules. But after some time, I get disconnected (LAN->DMZ traffic), with TCP:RA,A,PA showed in the firewall logs in pfsense.

From WAN -> DMZ I have no issues...

Rules LAN

Rules DMZ

I've tried to set the firewall options to conservative, like described here, with not much luck: https://knowledge.zomers.eu/pfsense/Pages/How-to-solve-connectivity-issues-with-dropped-RA-and-PA-packets.aspx

johnpoz

Those sorts of blocks are normally a sign of asymmetrical traffic.

Or you could have dupe packets... You understand that first hit you show is RA, or RESET ACK... This basically the client saying F OFF done.. FA would be way to normally close a tcp session. But RA is can be seen sometimes depending on how the client/application is designed..

Are these devices wireless?

Once a state is closed, then yeah any other packets that are not SYN would be blocked. A firewall only creates a state with the start of a conversation.. Ie the handshake syn, syn/ack

So if firewall sees Fin and closes the state, then any other packets still being seen would be out of state and blocked.

https://www.netgate.com/docs/pfsense/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html

How exactly do you have these networks wired? Are they physical isolated with different switches, do devices use different gateways than pfsense IP? Are you using a dumb switch to try and isolate your vlans - maybe you have your vlans on your switch misconfigured and are running multiple layer 3s on the same layer 2?

lbm_

Hi,
Thanks for the reply.

No its not wireless devices. Actually the wireless devices seams to work fine. the issue seems to be only with wired devices.

The network look like this.

Switch1 - Unmanaged
Switch2 - Unmanaged
Switch3 - Managed

PFSense has 3 NICs, (and a WLAN). WAN,LAN,DMZ.

PFSense(DMZ)<->Server(DMZ)
PFSense(WAN)<->Internet
PFSense(LAN )<->Switch2, for switch it spans to further switches.

Workstation<->Switch1<->Switch2<->PFsense(LAN)
Switch1<->Switch3<->Server(LAN)

johnpoz

If you wan tto work with vlans then you need a smart switch... Your dumb switch can be downsream of your smart switch and then all devices on those dumb switch would have to be on the same vlan..

Your switch 3 needs to be directly connected to pfsense and you can run vlans on those ports, then downstream from switch 3 you can put your dumb switches on any vlan you want.. But all devices on that dumb switch will be on the same vlan.

lbm_

Yes im aware, and thats really not the case. I only use the VLAN for IOT, so its still kinda a mystery to be why this happens. Maybe it would help if I enable "Bypass firewall rules for traffic on the same interface" ?

The network look like this.
So if I go to the DMZ interface to the server, from the WS. (WS->SW1->SW2->PFSense->Server), I will get disconnected suddently, with the error from the first post.

If I go to the LAN interface on the server, I will not have this issue (traffic should never go through PFSense in that case. (WS->SW1->SW3->Server).

johnpoz

You can not do that... And you have your server connected to 2 different networks.. Both with default routes I take it.. So you talk to server from lan to dmz.. He talks back via his lan connection. ASYMMETRICAL!! Now you have problems with states on the firewall.

How exactly is that IOT stuff being on a vlan? Doesn't work that way..

Is your sw3 L3 and routing? If so then your lan needs to be transit network and not have hosts on it.. Because how do they get to the vlan network without talking to their gateway on pfsense? Which causes hairpin and asymmetrical traffic, etc.

lbm_

Oh, I see! Thx!

There is only 1 route configured on the server (default route), which is towards the LAN connection..
I thought it would take the same route back it came from, unless an route told it otherwise. :)

kpa

@lbm_ said in TCP:RA, TCP:A, TCP:PA blocked ?:

Oh, I see! Thx!

There is only 1 route configured on the server (default route), which is towards the LAN connection..
I thought it would take the same route back it came from, unless an route told it otherwise. :)

Every node in a network does their routing 100% autonomously without consulting anyone else and routing is always stateless meaning there is no memory of the previous packets that arrived or if they were part of an active connection or not.

johnpoz

Even if you have only 1 default route. When I see traffic from 192.168.x and I have an an interface in 192.168.x - then that is where you respond with.

lbm_

@johnpoz said in TCP:RA, TCP:A, TCP:PA blocked ?:

Even if you have only 1 default route. When I see traffic from 192.168.x and I have an an interface in 192.168.x - then that is where you respond with.

Thx, it makes sense. :)

Are there any way to solve this ? Its not an big issue at all, im just curious.