Port open yet firewall still blocking traffic



  • I have a rule setup to allow all traffic on port 6881

    yet i see this in the logs

    
    block/1000000103
    Jul 15 09:44:35	LAN	Default deny rule IPv4 (1000000103)	  10.0.0.22:6881	  5.5xxxxx:64473	TCP:PA
    Jul 15 09:44:35	LAN	Default deny rule IPv4 (1000000103)	  10.0.0.22:6881	  20xxxxx.239:36366	TCP:PA
    Jul 15 09:44:35	LAN	Default deny rule IPv4 (1000000103)	  10.0.0.22:6881	  86xxxxxx9:48842	TCP:PA
    Jul 15 09:44:35	LAN	Default deny rule IPv4 (1000000103)	  10.0.0.22:6881	  45.xxxx7:54000	TCP:PA
    Jul 15 09:44:35	LAN	Default deny rule IPv4 (1000000103)	  10.0.0.22:6881	  83.xxxx:61087	TCP:PA
    

    Can someone please explain why its doing this or if im wrong?

    Thanks


  • LAYER 8 Global Moderator

    Those look to be out of state blocks.. So looks like something talked to 10.0.0.22 on 6881, but the answer that hit pfsense had no state.. So either its traffic where the state has expired, or the state had been deleted.

    Normally this points to asymmetrical traffic.. The traffic got to the 10.0.0.22 device without flowing through pfsense, and then the device tried to answer via pfsense..

    Notice the PA.. What is odd is they are not SA.. Syn,Ack - which would of been the first response a client would of made.. So points to more just out of state traffic - ie the state was deleted or timed out. Since your in the middle of conversation.

    If you want more help - draw up how you have everything connected.



  • What do you mean by draw up? something like this?
    Untitled.jpg

    This is my rules
    Unteitled.jpg

    Tell me if there is anything else you need


  • LAYER 8 Global Moderator

    Why do you not have your port forward linked to firewall rule like the rest of your forwards?



  • @johnpoz oh it is sorry that was just a test to see if it made any differance


  • LAYER 8 Global Moderator

    And all your other port forwards are working?

    Not sure why your sending both tcp/udp to those.. I know for sure plex for example does not use udp.

    So since your client answered the port forward worked.. So the question question comes down to why your seeing PA blocked.. This is because there is no state.. So ask again did you reset states, did you have say a temp loss of internet connectivity? Which can reset states unless you tell it not too..

    Your only seeing blocks for this Port?

    Is your client wireless, and could of moved from say cell to wifi, or from 1 wifi network to another.. Or from wifi to wired, etc. Or changed IPs?

    It could be left over traffic? That your client decided to try and continue after the loss of state on the firewall.

    Is your torrent client working? Doesn't deluge have a test port feature? etc? Your going to have to look into the states to see why your loosing them.. When you start a conversation the IP wanting to talk to another IP will send Syn, the client will then answer with Syn, Ack hey lets talk, etc..

    When pfsense sees the syn and its forwarded it will create a state allowing the traffic back, in this case where it bocks the Ack by default, its because there is no state to allow the traffic so the default deny blocks it.



  • @johnpoz said in Port open yet firewall still blocking traffic:

    And all your other port forwards are working?

    Not sure why your sending both tcp/udp to those.. I know for sure plex for example does not use udp.

    So since your client answered the port forward worked.. So the question question comes down to why your seeing PA blocked.. This is because there is no state.. So ask again did you reset states, did you have say a temp loss of internet connectivity? Which can reset states unless you tell it not too..

    Your only seeing blocks for this Port?

    Is your client wireless, and could of moved from say cell to wifi, or from 1 wifi network to another.. Or from wifi to wired, etc. Or changed IPs?

    It could be left over traffic? That your client decided to try and continue after the loss of state on the firewall.

    Is your torrent client working? Doesn't deluge have a test port feature? etc? Your going to have to look into the states to see why your loosing them.. When you start a conversation the IP wanting to talk to another IP will send Syn, the client will then answer with Syn, Ack hey lets talk, etc..

    When pfsense sees the syn and its forwarded it will create a state allowing the traffic back, in this case where it bocks the Ack by default, its because there is no state to allow the traffic so the default deny blocks it.

    Ill change them to tcp onlt than thanks for that
    I see it for other ports also but this one is by for the most
    Yes I reset states after changes
    And YES im having big problems with loss of internet connectivity deluge kills my whole network (trying to sort that one out)
    only 3 phones use wifi nothing else.
    deluge test port says its fine this could be the problem of torrenting killing my whole network


  • LAYER 8 Global Moderator

    @X2LR said in Port open yet firewall still blocking traffic:

    Yes I reset states after changes

    Well the client doesn't know that... So he had connection open, and wanted to continue to talk - so yeah your going too see those sorts of blocks until a new session is created.

    Why are you resetting the states? You would only need to do that on a specific sort of rule change for any active states related to that specific rule.. Say you wanted to block 192.168.1.100 from talking to X.. So you created a block rule, you would have to clear the states for 192.168.1.100 talking to X to make sure that rule takes effect. You don't need to clear all of them ;)

    So that right there explains what your seeing!

    You can adjust the pfsense settings so that wan going offline because monitor doesn't get an answer.. One sec and post screen of where you do that.

    edit: Uncheck this system / advanced / misc
    killstates.png

    But yeah your going to want to setup your p2p client not to use up your whole pipe ;) Have not had to deal with any of that in many years... I don't do any p2p to my home connection.. I run a seedbox elsewhere.. But you can setup limits in the client.. And could also limit with pfsense via limiters or shaping.


Log in to reply