Pfsense drop some packets?

  • this is my configuration (pfsense)     for NAT using & also set a WAN IP route)

    But my 10.1.2.x can ping 10.1.1.x ,but can't ping WAN's any IP
    it can't connect 10.1.1.x by any tcp packets

    When I ssh from 10.1.1.x to 10.1.2.x ,it failed ,too.
    Maybe pfsense drop some ACK packet from 10.1.1.x to 10.1.2.x
    How can I tune my pfsense , make it pass this kind of packets,or filter loosely?

  • What subnet mask are you using?  If it's not /24 (or greater) then that will cause the problem you're describing.

  • So I should set subnet mask /24 in pfsense?

    I did  but it doesn't work..

    From 10.1.2.x traceroute 10.1.1.x
    it show

    or other way ,I set 10.1.2.x default route
    It work fine,
    So I think pfsense have something wrong

    I found system log

    block Apr 30 03:39:48  LAN  TCP
    The rule that triggered this action is:

    @49 block drop in log quick all label "Default deny rule"

    from to packet been drop by pfsense

    How could I make it pass @@

  • All the 10. networks need to be using /24 (or greater) based upon what little you've posted.

    Maybe if you posted a simple diagram of your network, showing what's connected where and what the IP addresses and subnet masks are?

  • WAN
                                   |                       public

    |                       private  LAN
                                   | NAT –------------------------>
                         with public ip                              ^               |
                     |               |                                  |               |
                     | route)            |          10.1.2.x/24
                10.1.1.x/24                                          |
                                                                    I think problem happens here.
                                                                    pfsense drop tcp packets from 10.1.1.x/24  to 10.1.2.x/24
                                                                    but I change firewall's setting , it's doesn't work.

    when I tried telnet 10.1.1.x/24 port 80 from 10.1.2.x/24
                                                                    always got a time-out result..

  • Do you have rules on both interfaces allowing traffic to the other LAN?  Are the clients on each LAN able to reac the Internet?

    Do you really have 10.1.1.x/24 on both the WAN and the LAN interfaces of the pfSense host?