Pfsense drop some packets?



  • this is my configuration
    10.1.1.254 (pfsense)     for NAT using & also set a WAN IP
    10.1.1.247(static route)
    and
    10.1.2.x
    10.1.2.254(router)

    But my 10.1.2.x can ping 10.1.1.x ,but can't ping WAN's any IP
    it can't connect 10.1.1.x by any tcp packets

    When I ssh from 10.1.1.x to 10.1.2.x ,it failed ,too.
    Maybe pfsense drop some ACK packet from 10.1.1.x to 10.1.2.x
    How can I tune my pfsense , make it pass this kind of packets,or filter loosely?



  • What subnet mask are you using?  If it's not /24 (or greater) then that will cause the problem you're describing.



  • So I should set subnet mask /24 in pfsense?

    I did  but it doesn't work..

    From 10.1.2.x traceroute 10.1.1.x
    it show
    1.10.1.2.254
    2.10.255.255.1
    3.10.1.1x

    or other way ,I set 10.1.2.x default route 10.1.1.247
    It work fine,
    So I think pfsense have something wrong

    I found system log

    block Apr 30 03:39:48  LAN  10.1.1.115:80  10.1.2.101:51992  TCP
    The rule that triggered this action is:

    @49 block drop in log quick all label "Default deny rule"

    from 10.1.1.115 to 10.1.2.101 packet been drop by pfsense

    How could I make it pass @@



  • All the 10. networks need to be using /24 (or greater) based upon what little you've posted.

    Maybe if you posted a simple diagram of your network, showing what's connected where and what the IP addresses and subnet masks are?



  • WAN
                                   |                       public

    |                       private  LAN
                                   |
        10.1.1.254(pfsense) NAT –------------------------>10.1.2.254(route)
                         with public ip                              ^               |
                     |               |                                  |               |
                     |      10.1.1.247(static route)            |          10.1.2.x/24
                10.1.1.x/24                                          |
                                                                         |
                                                                    I think problem happens here.
                                                                    pfsense drop tcp packets from 10.1.1.x/24  to 10.1.2.x/24
                                                                    but I change firewall's setting , it's doesn't work.

    when I tried telnet 10.1.1.x/24 port 80 from 10.1.2.x/24
                                                                    always got a time-out result..



  • Do you have rules on both interfaces allowing traffic to the other LAN?  Are the clients on each LAN able to reac the Internet?

    Do you really have 10.1.1.x/24 on both the WAN and the LAN interfaces of the pfSense host?


Log in to reply