Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlocker causing unexpected "Default deny rule"

    Scheduled Pinned Locked Moved pfBlockerNG
    2 Posts 2 Posters 413 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peterlecki
      last edited by

      pfBlockerNG v2.1.4_26

      This is a difficult issue to reproduce so I totally understand if no engagement comes. It's almost like a "my computer doesn't work" report ;-)

      Summary -
      OpenVPN was not connecting despite trying various settings. Disabled pfBlocker, OpenVPN started working immediately. Re-enabled pfBlocker, VPN is still working fine.

      Long story -
      I was configuring OpenVPN server on pfSense 2.6. New firewall device but same ISP at the site. OpenVPN worked on the previous and similar device just recently replaced.
      I've done this a few times before without problems. Had the guides saved so I could easily refer back to them. But it wasn't working. I tried various TLS and user-auth-only options following some suggestions and a dozen other guides. Tried different ports and different protocols, thinking maybe the ISP introduced some new block. Checked firewall rules. Compared configs on other pfSense devices with working OpenVPN. I found nothing.

      Generic error on the client:

      TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      TLS Error: TLS handshake failed
      

      Firewall log showed:

      WAN   Default deny rule IPv4 (1000000103)   179.91.113.51:59111   124.157.58.234:1194   TCP:S
      

      I tried both TCP and UDP on 1194 and 1195. Even tried telnet to visibly see if it connects at all but it wasn't. I even made Easy Rules from that block log for both source and destination. But it was still showing the exact same message every time I'd try to connect. I disabled pfBlocker - VPN starts working immediately. So I re-enabled pfBlocker but VPN function remained.

      This is the second time this happened to me on different devices and sites. But I cannot replicate it on demand so I got no proof.

      I anticipate "use the latest version of pfBlocker" suggestions to which my reply is that I cannot because v3 doesn't allow fine tuning filters to individual countries, only continents.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @peterlecki
        last edited by johnpoz

        @peterlecki said in pfBlocker causing unexpected "Default deny rule":

        I cannot because v3 doesn't allow fine tuning filters to individual countries, only continents.

        What? Sure it does - using them currently on 3.1.0_4

        geoip.jpg

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.