Denied access from remote network



  • Hi all.
    I just configured my pfsense firewall for internet connection. In lan network i configured tre static route for remote network. From pfsense lan network to remote network are ok all traffic. From remote network to pfsense network only ping. Why? This is a log firewall default deny rule ipv4. I try to configure a lan rule with any any for all traffic but not work. I try to configure Bypass firewall rules for traffic on the same interface but not work.
    Thanks.


  • Rebel Alliance Global Moderator

    draw up your setup.. Have no clue what your trying to do without a drawing. Remote network to where? over the internet? Some upstream or downstream router - what is the transit network, etc.

    Sounds like your trying to use your lan as a transit to some downstream network. That is going to be asymmetrical for anything on the lan trying to talk to downstream network.

    What are you lan rules if your trying to let this downstream network out? Is your outbound nat natting this downstream network?



  • @johnpoz said in Denied access from remote network:

    draw up your setup.. Have no clue what your trying to do without a drawing. Remote network to where? over the internet? Some upstream or downstream router - what is the transit network, etc.

    In my lan 1.1.1.x i have a router 1.1.1.2 that connect remote network 2.2.2.x. From lan 1.1.1.x i can connect every things in 2.2.2.x network. But from 2.2.2.x i can send only ping. Internet access it's ok.


  • Rebel Alliance Global Moderator

    That doesn't look like a drawing... And really your going to obfuscate rfc1918 space?

    Are there any hosts on this lan network? Any traffic to this downstream network is going to be asymmetrical unless you host route.

    Any downstream network of pfsense should be via a transit network..

    So 2.2.2 talks to device in 1.1.1, your downstream routers send it directly to host in 1.1.1 - but 1.1.1.x to answer has to send to pfsense, its gateway.. Pfsense is going to say F off - where was the syn for this traffic, I have no state - Im not going to send that traffic anywhere.

    If you want to talk from 2.2.2 to 1.1.1 you would need to source nat or create routes on every host in 1.1.1 saying hey to get to 2.2.2 talk to the downstream router at 1.1.1.Y

    This is why you connect via a transit network.



  • I just installed last release and restarted firewall. Now all it's ok. I can access in all network.
    Thanks.