how to get pfsense to Allow this rule



  • Feb 22 16:26:19 LAN Default deny rule IPv4 (1000000103) 79.137.55.101:80 185.67.60.217:57527 TCP:SA
    Pfsense is blocking this rule

    https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html
    as per documentation i created 2 rules.

    on the LAN interface:
    IPv4 TCP 79.137.55.101 * * * * none
    on the Floating tab:
    0 /857 KiB IPv4 * 79.137.55.101 * * * * none (interface LAN and Any flags selected)

    but still the firewall is dropping the packets.
    i hope someone could explaine to me what im doing wrong here.


  • LAYER 8 Global Moderator

    Well SA (syn,ack) screams asymmetrical - ie pfsense never saw the syn to open the state... Or your states got reset and now the state is not there so blocked.

    Correct fix is to not do asymmetrical.

    Did you change the IPs in your post, those are both public IPs... Do you hve public IP space behind pfsense? That you own or have been assigned for you to use..

    So that 79.137 saw a syn to its port 80 that did not pass through pfsense, so why is it sending back the SA through pfsense?



  • No i did not change the ip in the post.
    Yes i have public ip space behind pfsene that i have been assigned and im trying to use.
    True. the pfsense did not see this conenction before. but i Still wanne allow this behavior.
    while i know this is bad by design i still prefer to make this possible anyway.

    the 79.137.55.101 is behind pfsense and i wanne route that to the internet so it arrives at 185.67.60.217.

    question is Why is it not working? i did what the documentation describes


  • LAYER 8 Global Moderator

    And how do you think its going to work, even if you allow the traffic... How did the syn get to the box without going through pfsense, and now the answer is going to flow through pfsense - so how is it going to get back to the sender.

    Asymmetrical is BAD... Correct it vs trying to get to work... If you want asymmetrical traffic flow you wouldn't be using a "stateful" firewall..

    Draw up how this is connected - and why you think asymmetrical flow is the solution.. Which its not - never is, never will be.. Its pretty borked no matter how you look at it.

    Maybe a client will not even accept the traffic even if gets back... Because its from a different mac...Either I sent the traffic to mac of my gateway, so traffic should come back from that mac.. Or I sent it to the device, so it should come back from that mac... Again asymmetrical is BAD!!!


Log in to reply