Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with '<interface> net' as source

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 441 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mkcharlie
      last edited by

      Hello,

      I have configured a couple of interfaces, among which a 'WHOME' interface with the following rules:
      b357f5ec-ba4c-4f20-8c93-de54d7b50e10-image.png

      This WHOME interface is assigned to a VLAN: 0f496927-b1a3-404a-be42-b4067237e0d9-image.png

      The idea is that everything coming in on that port carrying the 210 tag should be routed to the WHOME interface, and traffic on that interface is free to go wherever it wants.

      That all seems fine, however I cannot explain the following firewall blocks:
      5a91fd2f-c632-4e8e-a536-d1d706f5c103-image.png

      The rule '1596296279' is the firewall rule 'Catch blocked packets that should be allowed' from the first screenshot.

      So apparently some packets from the 192.168.3.100 device are not recognized as part of the WHOME interface, even though they do appear in some of the firewall states of that interface:
      7dde4600-f711-45ec-8a82-da857e0a27f5-image.png

      Most packets of the 192.168.3.100 pass fine, it's just some of them do not it seems.

      Is this due to the fact that the device that should be tagging these packets (a Ubiquiti AP) makes mistakes? Is it a mistake in my firewall rules? How could I best troubleshoot this behaviour? Any other thoughts?

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        Have you killed the firewall states after adding firewall rules?

        You may have asymmetric routing.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • M
          mkcharlie
          last edited by

          To be honest, I'm not sure if I killed the states although I've added the last rule 4 days ago and the other ones exist for a long time already. Anyway I will kill them tonight and see if that changes the situation.

          1 Reply Last reply Reply Quote 0
          • M
            mkcharlie
            last edited by

            The problem is still present after resetting the firewall state table.

            Any other thoughts? You mentioned 'you may have asymmetric routing', is that a separate potential issue apart from the states that I had to kill?

            1 Reply Last reply Reply Quote 0
            • M
              mkcharlie
              last edited by

              This post is deleted!
              1 Reply Last reply Reply Quote 0
              • M
                mkcharlie
                last edited by

                Ok, guess it's no issue at all. I recreated that 'Catch blocked packets that should be allowed' rule with 'WHOME net' as source and it's the same behaviour. According to https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html it's normal behaviour.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.