Default deny rule IPv4 Blocking Traffic on Same Subnet



  • Hello,

    My apologies if I missed any similar posts regarding my issue. I recently upgrade to pfsense 2.4.4 and ever since I am unable to ssh into a server on the same subnet. I noticed the following in the firewall logs when I attempt to connect:

    X Nov 3 12:33:27 VLAN2 10.2.0.240:22 10.2.0.103:37558 TCP:SA

    WIth the following being the reason for the deny:

    The rule that triggered this action is:

    @5(1000000103) block drop in log inet all label "Default deny rule IPv4"

    I do not have any rules other than the default for that VLAN:

    0_1541263012211_d6036e65-ebc3-4b77-8af3-b5adcd104614-image.png

    I can ping the server and connect from a different subnet (vlan4) but I cannot connect on the same subnet. Tried two different machines.

    What am I missing? Any help is greatly appreciated.

    Ray


  • Netgate

    The firewall/router is not involved in same-subnet traffic so if anyone is sending that traffic to the firewall instead of the host on the same subnet directly, it is configured incorrectly.

    Sounds like you have managed to create asymmetric routing somehow.



  • @derelict Thanks for the response. You are absolutely right and I knew that but was second guessing myself since it has been a while since I've worked with routing.

    Any ideas on how I figured out how I mucked this up?


  • Netgate

    What are the IP addresses, gateways, and netmasks of the two hosts that cannot communicate?

    What is the IP address and netmask of the pfSense VLAN2 interface?