Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simple firewall as router

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 595 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tomli
      last edited by

      Hi all,

      Can pfsense don't check the tcp-syn flag and keep state in all interfaces? For example:-

      Action: Accept
      Interface: LAN
      Protocol: tcp
      Source: *
      Source port: *
      Destination: 202.x.x.x.x
      Destination port: 443

      If the destination and destination port matched, allow the packet outging to wan interface even if asymmetric route is happened (now pfsense use the default ipv4 block rule to block the packet).

      Please advise.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by stephenw10

        Yes: https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

        But really you should find out why it's asymmetric and fix that.

        Unless you really want it to be a router only in which case you can disable pf entirely.

        Steve

        T 1 Reply Last reply Reply Quote 0
        • T
          tomli @stephenw10
          last edited by

          Hi Steve,

          I read the doc before and followed the doc to configure it. It cannot work .

          My flow is:-
          ISP1 ---- (WAN) Router (LAN) ---- Server---(LAN) Pfsense (WAN)----ISP2.

          In Pfsense:-

          1. checked The Bypass firewall rules for traffic on the same interface option located under System > Advanced on the Firewall/NAT tab

          2. add same rule in LAN and float interfaces.
            Action: Accept
            Interface: LAN
            Protocol: tcp
            Source: *
            Source port: *
            Destination: 202.x.x.x.x
            Destination port: 443

          state type: sloppy
          tcp flag: any flags

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            That rule would have to exist in on LAN and out on WAN since states would not exist on either interface.

            If that traffic is replies going back from the server via ISP2 the destination port will not be 443. The client would have used that initially. The destination IP will be the client address and the destination port will probably be unknown.

            Why does the server not just reply back to ISP1?

            Steve

            1 Reply Last reply Reply Quote 0
            • T
              tomli
              last edited by

              Hi,

              I tried to change the rule set to

              Action: Accept
              Interface: LAN
              Protocol: tcp
              Source: *
              Source port: *
              Destination: *
              Destination port: *

              still cannot work. I tried to use the command pfctl -d. It can work. So I think the firewall rule set block my traffic. We cannot control the incoming traffic. Therefore, we have asymmetric route issue in our network.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                But it is only the reply traffic that goes back out though pfSense yes?

                As I said you will need an OUT rule on WAN since that will also be out of state TCP traffic.

                Let's see a screenshot of the blocked traffic you're seeing,

                Steve

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.