Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Help with '<interface> net' as source

    Firewalling
    2
    6
    29
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mkcharlie last edited by

      Hello,

      I have configured a couple of interfaces, among which a 'WHOME' interface with the following rules:
      b357f5ec-ba4c-4f20-8c93-de54d7b50e10-image.png

      This WHOME interface is assigned to a VLAN: 0f496927-b1a3-404a-be42-b4067237e0d9-image.png

      The idea is that everything coming in on that port carrying the 210 tag should be routed to the WHOME interface, and traffic on that interface is free to go wherever it wants.

      That all seems fine, however I cannot explain the following firewall blocks:
      5a91fd2f-c632-4e8e-a536-d1d706f5c103-image.png

      The rule '1596296279' is the firewall rule 'Catch blocked packets that should be allowed' from the first screenshot.

      So apparently some packets from the 192.168.3.100 device are not recognized as part of the WHOME interface, even though they do appear in some of the firewall states of that interface:
      7dde4600-f711-45ec-8a82-da857e0a27f5-image.png

      Most packets of the 192.168.3.100 pass fine, it's just some of them do not it seems.

      Is this due to the fact that the device that should be tagging these packets (a Ubiquiti AP) makes mistakes? Is it a mistake in my firewall rules? How could I best troubleshoot this behaviour? Any other thoughts?

      1 Reply Last reply Reply Quote 0
      • NogBadTheBad
        NogBadTheBad Galactic Empire last edited by

        Have you killed the firewall states after adding firewall rules?

        You may have asymmetric routing.

        1 Reply Last reply Reply Quote 0
        • M
          mkcharlie last edited by

          To be honest, I'm not sure if I killed the states although I've added the last rule 4 days ago and the other ones exist for a long time already. Anyway I will kill them tonight and see if that changes the situation.

          1 Reply Last reply Reply Quote 0
          • M
            mkcharlie last edited by

            The problem is still present after resetting the firewall state table.

            Any other thoughts? You mentioned 'you may have asymmetric routing', is that a separate potential issue apart from the states that I had to kill?

            1 Reply Last reply Reply Quote 0
            • M
              mkcharlie last edited by

              This post is deleted!
              1 Reply Last reply Reply Quote 0
              • M
                mkcharlie last edited by

                Ok, guess it's no issue at all. I recreated that 'Catch blocked packets that should be allowed' rule with 'WHOME net' as source and it's the same behaviour. According to https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html it's normal behaviour.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy