Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default deny rule IPv4 Blocking Traffic on Same Subnet

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 846 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rayray221
      last edited by

      Hello,

      My apologies if I missed any similar posts regarding my issue. I recently upgrade to pfsense 2.4.4 and ever since I am unable to ssh into a server on the same subnet. I noticed the following in the firewall logs when I attempt to connect:

      X Nov 3 12:33:27 VLAN2 10.2.0.240:22 10.2.0.103:37558 TCP:SA

      WIth the following being the reason for the deny:

      The rule that triggered this action is:

      @5(1000000103) block drop in log inet all label "Default deny rule IPv4"

      I do not have any rules other than the default for that VLAN:

      0_1541263012211_d6036e65-ebc3-4b77-8af3-b5adcd104614-image.png

      I can ping the server and connect from a different subnet (vlan4) but I cannot connect on the same subnet. Tried two different machines.

      What am I missing? Any help is greatly appreciated.

      Ray

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        The firewall/router is not involved in same-subnet traffic so if anyone is sending that traffic to the firewall instead of the host on the same subnet directly, it is configured incorrectly.

        Sounds like you have managed to create asymmetric routing somehow.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        R 1 Reply Last reply Reply Quote 0
        • R
          rayray221 @Derelict
          last edited by

          @derelict Thanks for the response. You are absolutely right and I knew that but was second guessing myself since it has been a while since I've worked with routing.

          Any ideas on how I figured out how I mucked this up?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by Derelict

            What are the IP addresses, gateways, and netmasks of the two hosts that cannot communicate?

            What is the IP address and netmask of the pfSense VLAN2 interface?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.