Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Default rule blocking some Outgoing DNS

    Firewalling
    3
    8
    71
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfnow last edited by pfnow

      I'm using DNS resolver in forwarding mode to Google and CloudFlare (SSL/TLS). It works, but see a lot of blocked packets by the default rule from my WAN address with TCP:F, P and A flags

      wan_fw.png

      Is this normal?

      For the record, I'm running 2.5.0, but it was also happening on 2.4.5-P1.

      1 Reply Last reply Reply Quote 0
      • H
        hieroglyph last edited by

        Seems weird. The default WAN deny rule should block traffic entering the WAN interface; not traffic leaving the WAN interface. What do your firewall rules look like for FLOATING and WAN?

        Gertjan P 2 Replies Last reply Reply Quote 0
        • Gertjan
          Gertjan @hieroglyph last edited by

          "1000000104 " is the default interface final block all rule.

          block out  inet all tracker 1000000104 label "Default deny rule IPv4"
          

          remove the check here :

          a3373b44-1240-48bb-94e6-706c53ddc175-image.png

          Can't tell why 8.8.8.8 and 1.1.1.1 is contacting your WAN 'out of state'.

          1 Reply Last reply Reply Quote 0
          • P
            pfnow @hieroglyph last edited by

            @hieroglyph said in Default rule blocking some Outgoing DNS:

            Seems weird. The default WAN deny rule should block traffic entering the WAN interface; not traffic leaving the WAN interface. What do your firewall rules look like for FLOATING and WAN?

            Here are my floating rules for WAN. Mostly they deal with the CODEL traffic shaping. I got them from the related thread and that part is working.

            The DNS traffic out of state happens when I enabled forwarding for the DNS resolver, so pfSense connects to those public DNS directly from the WAN, but for some reason, some of the traffic back is flagged as out of state and gets dropped.

            floating.png

            @gertjan said in Default rule blocking some Outgoing DNS:

            "1000000104 " is the default interface final block all rule.

            block out  inet all tracker 1000000104 label "Default deny rule IPv4"
            

            remove the check here :

            a3373b44-1240-48bb-94e6-706c53ddc175-image.png

            Can't tell why 8.8.8.8 and 1.1.1.1 is contacting your WAN 'out of state'.

            I know that's the default deny rule, I check that on purpose, to see what gets blocked. Unchecking it will just stop the logging, but the traffic will still get blocked.

            H 2 Replies Last reply Reply Quote 0
            • H
              hieroglyph @pfnow last edited by

              @pfnow Is the out of state traffic breaking DNS?

              1 Reply Last reply Reply Quote 0
              • H
                hieroglyph @pfnow last edited by

                @pfnow Please show the FLOATING rules and WAN rules. Not just the WAN-FLOATING rules.

                P 1 Reply Last reply Reply Quote 0
                • P
                  pfnow @hieroglyph last edited by

                  @hieroglyph no, DNS resolution seems to be working. I just found all the out of state blocking weird.

                  Here is the WAN FW tab
                  WAN.png

                  H 1 Reply Last reply Reply Quote 0
                  • H
                    hieroglyph @pfnow last edited by

                    @pfnow Nothing looks crazy in your rules. So there is either something weird happening with the DNS resolver/resolver settings. Or you states are expiring fast.

                    Are 1.1.1.1, 8.8.8.8, and 8.8.4.4 the only three DNS servers you are using? If you are using other DNS servers are they also showing as being blocked by the default WAN rule?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy