Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rule Enabled, Client Can Still Access Gateway?

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 557 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      patg_84
      last edited by patg_84

      Ok so in my testing think I understand what's happening but I would like a definitive answer.

      Assume the defaults with the network from a fresh install on actual hardware.
      pfSense --> 192.168.1.1
      DNS --> 8.8.8.8

      PC --> 192.168.1.2
      Gateway 192.168.1.1
      DNS --> 8.8.8.8

      Let's say I open 4 Windows cmd prompts and continuously ping the following addresses: 1.1.1.1, 208.67.220.220, google.com, and 192.168.1.1.

      Now I have a simple firewall rule in pfSense to enable "LAN net" to "ANY".

      With the above I should be able to ping all three addresses without issue continuously.

      While the pinging is going on, I disable that firewall rule. The pinging in all 4 cmd prompts that was started earlier continues without fail.

      What I've noticed is that new pings (start a new cmd prompt or use an existing one) out to 1.1.1.1, 208.67.220.220, and google.com fail as they should. I'm assuming since the command is started over again a new socket is required.

      What I'm not understanding is this next bit. New pings to 192.168.1.1 continue to receive responses. The only thing that will stop this is if I disable/re-enable the interface and start the command over again.

      Is this by design? Why is this happening?

      johnpozJ S 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @patg_84
        last edited by

        @patg_84 all comes down to states.. If state is still open, then even if you create rule to block - until the state is no longer there traffic is allowed per the state before rules are evaluated.

        You don't need to disable enable an interface to clear states - just kill them in the state table, or wait for them to timeout on their own.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • S
          SteveITS Galactic Empire @patg_84
          last edited by

          @patg_84 What John said :) but docs: https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-table

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.