Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall blocking internal traffic

    Firewalling
    4
    14
    981
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Daniel_Hyde
      last edited by

      Hi,

      Please see traffic being blocked even though I have added a rule to pass all traffic.

      11.png
      22.png

      Does anyone know why its doing this? or if I've done something wrong?

      Thanks
      Dan

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Daniel_Hyde
        last edited by

        @daniel_hyde
        The blocked packets are out of state. The connection might either be already closed or you have an asymmetric routing issue.
        Look here for details: https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

        D 1 Reply Last reply Reply Quote 0
        • D
          Daniel_Hyde @viragomann
          last edited by

          @viragomann Thanks for the reply.
          I think the issue is related to the fact we are using High Availability Sync.

          Thanks
          Dan

          KOMK 1 Reply Last reply Reply Quote 0
          • KOMK
            KOM @Daniel_Hyde
            last edited by

            @daniel_hyde Your second rule is unnecessary & redundant since the Default Allow rules right after it handle all outbound traffic for IPv4 and IPv6.

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @KOM
              last edited by johnpoz

              Yeah as already mentioned don't quite understand the point of the specific /27 destination rule unless your source would be something other than lan net? Do you have a downstream router on this lan? If so that is going to lead to most likely asymmetrical traffic flow, unless you have no hosts on "lan" and its just being used as a transit?

              Only other reason for such a rule would be if you were wanting to log the traffic ? But I don't see the log icon on your rule. But you have done something else with the rule because you have the gear icon..

              But yeah as already mentioned your block is because the traffic was out of state. the RA is common after states have been closed and something still sending RST for whatever reason. But your SA is normally a sign of asymmetrical for sure.. Because pfsense never saw the syn..

              I guess a HA pair with traffic hitting the other device and states not in sync could be a reason for the block. But why would your traffic not being going to the device that holds the vip? In the middle of switch of the vip and states not sync could cause such blocks yeah..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • D
                Daniel_Hyde
                last edited by

                Thanks everyone for the replies.

                On this network they access some servers on 172.22.150.160/27 range.
                They are accessible through a router that is 192.168.0.252
                I have put a static route on the pfSense of 172.22.150.160/27 via 192.168.0.252
                Just to add .252 is the HSRP address for actual routers on .17 (primary) and .18 (secondary)
                In this configuration if the access to the servers is very slow and times out frequently.
                If put a static route on the PC the issues disappear immediately.
                Ideally I'd not like to do this on every PC.

                Thanks
                Dan

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @Daniel_Hyde
                  last edited by johnpoz

                  @daniel_hyde said in Firewall blocking internal traffic:

                  If put a static route on the PC the issues disappear immediately.
                  Ideally I'd not like to do this on every PC.

                  Because your asymmetrical. If you going to have a downstream router, then you need a transit network.. Or you have to downstream nat, or you have yeah route on every host in the transit network (the network that connects routers).

                  Seem I go over this like every other day or so around here ;) hehehe

                  Any network that connects routers is a transit. There should be no hosts on this network.. If there are then yes your going to run into asymmetrical traffic flow when devices on downstream network and devices on the transit network talk to each other..

                  The correct solution if you want/need a downstream router setup a transit network to connect them (no hosts on this network).

                  edit: here is drawing showing how you would do a downstream router, 172.26.1.0/29 is the transit in this drawing.

                  1618850247859-pfsense-layer-3-switch.png

                  downstream in this context is any other router connected to your "transit" network that is not the default gateway of devices on the "transit" network.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  D 1 Reply Last reply Reply Quote 0
                  • D
                    Daniel_Hyde @johnpoz
                    last edited by

                    @johnpoz Thanks for the reply.

                    I'll look into this, would I need to do the same to allow devices on the 172.22.150.160/27 range access the internet through the pfSense?

                    Thanks
                    Dan

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @Daniel_Hyde
                      last edited by

                      You would put the same sort of rule you have now allowing that /27 network, it would just be on your transit interface.

                      Yes you would need rules to allow any downstream network that you want to use the internet on your transit interface rules. Once you create a gateway, and routes in pfsense for what is connected downstream it would auto create outbound nats to nat the downstream network. Unless you have turned off auto nat, then yes you would need to make sure outbound nat is correct. But assume you already have that working if your internet is working fine currently for your downstream networks.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        Daniel_Hyde @johnpoz
                        last edited by

                        @johnpoz Thanks again for the reply, we do have support for the devices but the reseller hasn't registered them yet.

                        That is another issue we are having that the devices on the 172.22.150.160/27 network can't get to the internet.

                        Thanks
                        Dan

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @Daniel_Hyde
                          last edited by johnpoz

                          @daniel_hyde said in Firewall blocking internal traffic:

                          172.22.150.160/27 network can't get to the internet.

                          Well if they are currently flowing over your "transit" - where you put that rule for the /27, and your not natting at this downstream device. You would have to make sure you have outbound nats for whatever downstream networks are flowing through pfsense to get to the internet.. Pfsense will only create auto outbound nats for networks directly attached to it. Or networks created via a route using some downstream gateway, etc

                          Validate your outbound nats list whatever downstream networks your using, and that your rules where these downstream networks come into pfsense are allowed.

                          Your lan rules are wrong for a downstream network, that is destination.. But this downstream network would be the source.. So your current lan rules wouldn't allow some source IP other than your lan net to get out to the internet etc.. no matter what your outbound nat rules are.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          D 1 Reply Last reply Reply Quote 0
                          • D
                            Daniel_Hyde @johnpoz
                            last edited by

                            @johnpoz Thanks, that is where I'd gone wrong. I must have not saved the outbound NAT rules properly.

                            Thanks
                            Dan

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @Daniel_Hyde
                              last edited by

                              Your rules you shown would not allow that network as source for outbound to the internet either.

                              Unless you were natting - if that was the case then that rule is pointless, and outbound nat would of been fine with auto as well, etc. When you say saved, I take it you went manual mode with your outbound nats.

                              You really should set this up correctly if your going to run a downstream router. No devices on the transit network, etc.. And proper rules on the transit interface to allow for what you want.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                              D 1 Reply Last reply Reply Quote 0
                              • D
                                Daniel_Hyde @johnpoz
                                last edited by

                                @johnpoz

                                As its setup in High Availability Sync the guide said to use manual outbound NAT

                                Thanks
                                Dan

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.