Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Blocking VLAN Traffic default deny rule IPv4 (1000000103)

    Scheduled Pinned Locked Moved Firewalling
    15 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      froglevelmc
      last edited by froglevelmc

      I am using a Netgate SG1100. Traffic over my VLAN just started getting blocked by the firewall with a default deny rule IPv4 (1000000103). Where is that coming from. It was working. I didn't change anything.

      I deleted all my firewall rules for the VLAN and added an all open rule. Still does not work. Cant get any internet traffic on the VLAN

      alt text

      Firewall Log sample....

      alt text

      Has anyone run into this?

      KOMK 1 Reply Last reply Reply Quote 0
      • KOMK
        KOM @froglevelmc
        last edited by

        @froglevelmc DNS is being blocked but your rules should allow it. Do you have any rules on the floating tab? What changed from when it was last working to when it stopped working? You're sure you have pfSense DNS listening on that interface?

        F 1 Reply Last reply Reply Quote 0
        • F
          froglevelmc @KOM
          last edited by

          @kom Well. I think I figured out what happened... I have pfblocker GEOIP filter, and snort running. I believe I exceeded my max firewall table entries. I had it set to the default 40000. I changed it to 4000000 and it started working again. I guess the rule VLAN rules were not loading because the table was full.

          KOMK 1 Reply Last reply Reply Quote 0
          • KOMK
            KOM @froglevelmc
            last edited by

            @froglevelmc Glad to see you got it sorted out.

            B 1 Reply Last reply Reply Quote 0
            • B
              b_chris @KOM
              last edited by b_chris

              @froglevelmc I was about to post the same problem. I'm using GeoIP for inbound traffic but no snort. On multiple VLANs I'm using pfBlockerNG lists to block outbound traffic and that might be the problem.

              How did you figure out, that you reached the 40.000 limit? I couldn't find any according status.
              Any downside of setting the limit higher? I assume, it "only" costs more RAM?

              Thanks

              F 1 Reply Last reply Reply Quote 0
              • F
                froglevelmc @b_chris
                last edited by

                @b_chris said in Firewall Blocking VLAN Traffic default deny rule IPv4 (1000000103):

                @froglevelmc I was about to post the same problem. I'm using GeoIP for inbound traffic but no snort. On multiple VLANs I'm using pfBlockerNG lists to block outbound traffic and that might be the problem.

                How did you figure out, that you reached the 40.000 limit? I couldn't find any according status.
                Any downside of setting the limit higher? I assume, it "only" costs more RAM?

                Thanks

                Yep it just allocates a little more memory for your rules.

                As far as how I figured it out by making assumptions. I started getting messages that about 15 or so pfblocker rules could not load because memory could not be allocated. I started searching that error and found that raising the firewall max table size would resolve those errors and I made the connection that my allow rules for the VLAN may not be loading for the same reason made the change and within a few seconds the VLAN clients had internet access. I just added in extra zero to see if that was gonna correct the issue it. 4 million may be a little too much and I'll be backing mine down a bit. I would just raise it to 500k then 600k, etc. until the issue is resolved.

                I would think that there is some way to ascertain how many files are actually getting loaded in the that table, but I don't know how to. Also I have not read through the pfblocker documentation, They may already have suggested settings for running it in pfsense.

                B 1 Reply Last reply Reply Quote 1
                • B
                  b_chris @froglevelmc
                  last edited by b_chris

                  @froglevelmc thank you for the reply.
                  May I ask where you found the error message about the not loaded rules? I'm asking because I didn't find any error messages that where related to firewall rules but I may have missed something.
                  Also in my case I observed only one client that was/is affected by triggering the default deny rule even though this shouldn't be the case when looking at my ruleset.

                  In the meantime I reduced the selected IP-filters in pfBlockerNG and for the moment the message seams to be gone but I'd like to make sure, that I faced really the same issue like you...

                  F 1 Reply Last reply Reply Quote 0
                  • F
                    froglevelmc @b_chris
                    last edited by

                    @b_chris said in Firewall Blocking VLAN Traffic default deny rule IPv4 (1000000103):

                    May I ask where you found the error message about the not loaded rules? I'm asking because I didn't find any error messages that where related to firewall rules but I may have missed something.

                    The error messages I got were in the notification bell at the top right of the menu bar just to the left of the logout icon.

                    Are any of your VLANs getting internet?

                    B 1 Reply Last reply Reply Quote 1
                    • B
                      b_chris @froglevelmc
                      last edited by

                      @froglevelmc
                      Ah ok, I didn't get the notification bell. Strange.

                      All my VLANs that should have access to the internet can access it.
                      In the logs I saw one client (smart home device) that ran into the default deny all the time. And that affected VLAN had an allow everything (source, destination, protocol etc. set to *) rule for testing purpose. So my expectation was, that this VLAN should never ever hit the default deny rule

                      B 1 Reply Last reply Reply Quote 0
                      • B
                        b_chris @b_chris
                        last edited by b_chris

                        It would really be interesting to see how "full" the firewall table is with the current config.
                        I didn't touch "Firewall Maximum Table Entries" so far (--> default 400.000) but I have no clue whether I'm at 5% or 99%...

                        F 1 Reply Last reply Reply Quote 0
                        • F
                          froglevelmc @b_chris
                          last edited by

                          @b_chris
                          Yeah I searched a little but did not really find much.
                          My guess is you wont find anything in the GUI.
                          It will likely have to be done from the CLI via SSH or the console port. I know that some of those address tables can get very large such as the IPv6 bogon lists. It exceeded the old default of 200k so the developers had to increased the default to 400k..... The IPv6 list alone I am sure will exceed even the 400k default before too long.

                          B 1 Reply Last reply Reply Quote 1
                          • B
                            b_chris @froglevelmc
                            last edited by

                            @froglevelmc
                            yeah I already search for CLI commands but didn't find anything use full. Only in the webinterface under diagnostics -> tables you can see the tables and the number of their entries. But I'm not sure if this relates to the "Firewall maximum table entries" setting. If I sum up all the tables I'm at roughly 180.000 -> only half of the 400.000. But again: I'm not sure if it's valid to compare those numbers.

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @b_chris
                              last edited by johnpoz

                              Those numbers are what your looking for max table entries.

                              You can also view them with

                              pfctl -vvs Tables

                              Use of pfblocker and yeah for sure bogon v6 can get to very large number of entries very quickly.

                              if you run into a problem with loading the rules you should get a very noticeable error - in the top right of the screen..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              B 1 Reply Last reply Reply Quote 2
                              • B
                                b_chris @johnpoz
                                last edited by

                                @johnpoz
                                Thanks for confirming!
                                Then at least with my latest reconfiguration I shouldn't run into problems (only about half of the 400.000 used).
                                I'll keep an eye on those default deny blocks and will see if they are gone now.

                                Thank you

                                B 1 Reply Last reply Reply Quote 0
                                • B
                                  b_chris @b_chris
                                  last edited by

                                  I figured out, that my problem seams to be a different one. I opened a separate topic to avoid confusion: https://forum.netgate.com/topic/165738/allow-rule-not-working

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.