Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic firewall blocking for TCP:RA and TCP:PA

    Scheduled Pinned Locked Moved
    Off-Topic & Non-Support Discussion
    2
    3
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      user2
      last edited by user2

      Hello friends.

      I've read a lot about this, but haven't solved it. I am humbly asking to get the benefit of your experience. Is there any way to correct these errors (rather than suppressing them with firewall rules that are silent)?

      With basic rules to 'allow all inbound on LAN', I currently see lots of repeating Firewall log entries e.g.:

      Blocked on LAN - Default deny rule IPv4 (1000000103): src x.x.1.31:44597 dst <amazon1>:443 TCP:RA
Blocked on LAN - Default deny rule IPv4 (1000000103): src x.x.1.31:44597 dst <amazon1>:443 TCP:PA

      Screen Shot 2022-03-19 at 4.36.16 PM.png

      I thought these were 'normal' out of TCP/state errors, but now I think it's because of my network configuration and my devices cannot close sessions properly.

      What is the best way to configure my pfSense firewall? Currently I have:

      • Firewall is "Automatic outbound NAT rule generation.
        (IPsec passthrough included)"
      • UPnP & NAT-PMP (not selected) * This is probably my biggest configuration question.
      • IP Do-Not-Fragment compatibility / Clear invalid DF bits instead of dropping the packets (selected)
      • Firewall optimization: Normal

      If it helps I can capture packets regarding this device.

      Kind regards,
      u2

      1 Reply Last reply Reply Quote 0
      • U
        user2
        last edited by user2

        Corrected drawing ... it's an Amazon Fire device.

        938b1623-e2fe-4f8e-9e4a-26c33b933656-image.png

        I port mirrored the Switch's port connecting to pfSense LAN (1.1). Here's what I found so far:

        c4d379e5-a8ff-45fc-9487-fe179559f6ec-image.png

        • pfSense blocks the 2 packets at the end of the TLS v1.2 session.
        • However, the TCP:PA TLS v1.2 "Encrypted Alert" is normal and is used by the TLS protocol for notifying the peer that the connection can be closed -- usually when there is no more traffic to send.
        • I guess the TCP:RA is because the previous packet was dropped.

        So, maybe pfSense knows the TLS session is complete? Could it know this from receiving a RST packet on the WAN side? But still, should it not pass down the RST to my device?

        I'll check the WAN side and post back later...

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Those two packets look like they are ~30mins after the rest of the session. TCP states normally close as soon as the session is complete so they would certainly be closed at that point.

          Steve

          1 Reply Last reply Reply Quote 0
          • First post
            Last post