Assymetric Routing symptoms with only one WAN link

  • Hello there,

    I have been struggling with my pfsense for days now and i am stuck, so i have come to you for help.

    The setup:

    1. Sagemcom box from my ISP set into Bridge Mode.
    2. pfsense firewall with 3 interfaces (2 used) WAN and LAN
    3. Unifi 60 W PoE Switch
    4. Unifi Pro AP
    5. Lenovo T460S laptop

    My ISP have assigned the MAC of my pfsense on their side, and that have given me a public IP on my WAN interface.
    I can ping by adresses and hostnames with success, both internal and public, so i believe my DNS is fine.

    Here is a trace to google from my WAN interface:
    None of these hops belong to me.

    Looking at the system log i can see that TCP:SA traffic is blocked by the Default deny rule IPv4 on the WAN interface.
    Looking at states i can see that all HTTP and HTTPS traffic is eiteher syn_sent:closed or closed:syn_set.

    Something that i do not understand is that the source IP of the blocked packages are allways the same IP on port 7000 (MMS/UDP), with my WAN interface as destination on port 649. A easy rule from the log did not do anything good for me.

    I have done everything i can find, at one point i even created an allow all rule on my WAN, but no lock.
    A floating rule with sloppy state, the Bypass firewall rules for traffic on the same interface option and much other things have been put to the test. Meanwhile a ton of reboots have been done to both the pfsense and the bridge modem.

    Nothing is working and the family is not so happy about it, so i think it is about time to post it here.
    It looks like asymmetric routing, but with only one WAN, i cannot see how that is possible.

    I feel like i have been close to a real connection, at one point YouTube and Google where browsable, but nothing else.

    Please help me deliver Internet in great speeds to my household, so i dont have to rely on the magic box that my ISP sent me.

  • Netgate Administrator

    So what is the actual problem here? You are unable to browse the web from clients behind the firewall?

    That blocked TCP:SA traffic looks like a coincidence to me if it's always from the same remote IP. It's something in particular triggering that.

    Do you have outbound NAT set to automatic still?

    Check the routing table in Diag > Routes, do you have a default route?

    How are you getting a WAN IP? DHCP from your ISP? Is it pulling a valid IP and gateway? I would assume it is since you can ping out correctly.

    Check you can open TCP connections? Go to Diag > Port Test. Try to open port 443 to

    When you try to open a webpage from a client what actual error do you see?


Log in to reply