Firewall Blocking VLAN Traffic default deny rule IPv4 (1000000103)

froglevelmc

I am using a Netgate SG1100. Traffic over my VLAN just started getting blocked by the firewall with a default deny rule IPv4 (1000000103). Where is that coming from. It was working. I didn't change anything.

I deleted all my firewall rules for the VLAN and added an all open rule. Still does not work. Cant get any internet traffic on the VLAN

alt text

Firewall Log sample....

alt text

Has anyone run into this?

KOM

@froglevelmc DNS is being blocked but your rules should allow it. Do you have any rules on the floating tab? What changed from when it was last working to when it stopped working? You're sure you have pfSense DNS listening on that interface?

froglevelmc

@kom Well. I think I figured out what happened... I have pfblocker GEOIP filter, and snort running. I believe I exceeded my max firewall table entries. I had it set to the default 40000. I changed it to 4000000 and it started working again. I guess the rule VLAN rules were not loading because the table was full.

KOM

@froglevelmc Glad to see you got it sorted out.

b_chris

@froglevelmc I was about to post the same problem. I'm using GeoIP for inbound traffic but no snort. On multiple VLANs I'm using pfBlockerNG lists to block outbound traffic and that might be the problem.

How did you figure out, that you reached the 40.000 limit? I couldn't find any according status.
Any downside of setting the limit higher? I assume, it "only" costs more RAM?

Thanks

froglevelmc

@b_chris said in Firewall Blocking VLAN Traffic default deny rule IPv4 (1000000103):

@froglevelmc I was about to post the same problem. I'm using GeoIP for inbound traffic but no snort. On multiple VLANs I'm using pfBlockerNG lists to block outbound traffic and that might be the problem.

How did you figure out, that you reached the 40.000 limit? I couldn't find any according status.
Any downside of setting the limit higher? I assume, it "only" costs more RAM?

Thanks

Yep it just allocates a little more memory for your rules.

As far as how I figured it out by making assumptions. I started getting messages that about 15 or so pfblocker rules could not load because memory could not be allocated. I started searching that error and found that raising the firewall max table size would resolve those errors and I made the connection that my allow rules for the VLAN may not be loading for the same reason made the change and within a few seconds the VLAN clients had internet access. I just added in extra zero to see if that was gonna correct the issue it. 4 million may be a little too much and I'll be backing mine down a bit. I would just raise it to 500k then 600k, etc. until the issue is resolved.

I would think that there is some way to ascertain how many files are actually getting loaded in the that table, but I don't know how to. Also I have not read through the pfblocker documentation, They may already have suggested settings for running it in pfsense.

b_chris

@froglevelmc thank you for the reply.
May I ask where you found the error message about the not loaded rules? I'm asking because I didn't find any error messages that where related to firewall rules but I may have missed something.
Also in my case I observed only one client that was/is affected by triggering the default deny rule even though this shouldn't be the case when looking at my ruleset.

In the meantime I reduced the selected IP-filters in pfBlockerNG and for the moment the message seams to be gone but I'd like to make sure, that I faced really the same issue like you...

froglevelmc

@b_chris said in Firewall Blocking VLAN Traffic default deny rule IPv4 (1000000103):

May I ask where you found the error message about the not loaded rules? I'm asking because I didn't find any error messages that where related to firewall rules but I may have missed something.

The error messages I got were in the notification bell at the top right of the menu bar just to the left of the logout icon.

Are any of your VLANs getting internet?

b_chris

@froglevelmc
Ah ok, I didn't get the notification bell. Strange.

All my VLANs that should have access to the internet can access it.
In the logs I saw one client (smart home device) that ran into the default deny all the time. And that affected VLAN had an allow everything (source, destination, protocol etc. set to *) rule for testing purpose. So my expectation was, that this VLAN should never ever hit the default deny rule

b_chris

It would really be interesting to see how "full" the firewall table is with the current config.
I didn't touch "Firewall Maximum Table Entries" so far (--> default 400.000) but I have no clue whether I'm at 5% or 99%...

froglevelmc

@b_chris
Yeah I searched a little but did not really find much.
My guess is you wont find anything in the GUI.
It will likely have to be done from the CLI via SSH or the console port. I know that some of those address tables can get very large such as the IPv6 bogon lists. It exceeded the old default of 200k so the developers had to increased the default to 400k..... The IPv6 list alone I am sure will exceed even the 400k default before too long.

b_chris

@froglevelmc
yeah I already search for CLI commands but didn't find anything use full. Only in the webinterface under diagnostics -> tables you can see the tables and the number of their entries. But I'm not sure if this relates to the "Firewall maximum table entries" setting. If I sum up all the tables I'm at roughly 180.000 -> only half of the 400.000. But again: I'm not sure if it's valid to compare those numbers.

johnpoz

Those numbers are what your looking for max table entries.

You can also view them with

pfctl -vvs Tables

Use of pfblocker and yeah for sure bogon v6 can get to very large number of entries very quickly.

if you run into a problem with loading the rules you should get a very noticeable error - in the top right of the screen..

b_chris

@johnpoz
Thanks for confirming!
Then at least with my latest reconfiguration I shouldn't run into problems (only about half of the 400.000 used).
I'll keep an eye on those default deny blocks and will see if they are gone now.

Thank you

b_chris

I figured out, that my problem seams to be a different one. I opened a separate topic to avoid confusion: https://forum.netgate.com/topic/165738/allow-rule-not-working