Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange behaviour only happens on Linux client

    Firewalling
    2
    4
    228
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jjuk
      last edited by jjuk

      My pfsense is installed in Proxmox VE as a virtual firewall/router. There is 1 WAN interface and there are 2 LAN interfaces (LAN1, LAN2) as 2 subnets. Reject rules are created on both interfaces that do not allow the guest VMs to reach each other. However, this works on Windows guests but not Linux guests.

      The strange behaviours on the Linux guests as below:

      1. Linux guests on LAN1 can ping LAN2 gateway. Linux guests on LAN2 can ping LAN1 gateway.
      2. Linux guests on LAN1 can ping LAN2 Linux guests. Linux guests on LAN2 can ping LAN1 Linux guests.

      While below behaviours are normal:

      1. Linux guests on LAN1 cannot ping LAN2 Windows guests. Linux guests on LAN2 cannot ping LAN1 Windows guests.
      2. Windows/Linux guests can ping the other Windows guests, Linux guests and gateway within the same subnet.

      The sources and destinations of my firewall rules target the "net", not "single host or alias".
      When checking System Logs > Firewall. Only “block/reject” actions are shown. But this time, I want to check the “pass” actions.

      Further update of this case.
      I found that this problem happens after the Linux guest VM is restarted. Then I need to restart pfsense to make the firewall rules work on that Linux VM again.

      J V 2 Replies Last reply Reply Quote 0
      • J
        jjuk @jjuk
        last edited by

        This post is deleted!
        1 Reply Last reply Reply Quote 0
        • V
          viragomann @jjuk
          last edited by

          @jjuk
          I suspect that your network segmentation is leaking somewhere outside of pfSense, maybe on Proxmox.

          You can run a Packet Capture on pfSense to check if the packets of the unwanted access even arrive on it's interface.

          Windows blocks access from outside of its subnet by default. So access from the other subnet might be blocked by the Windows firewall, while your Linux devices doesn't.

          J 1 Reply Last reply Reply Quote 0
          • J
            jjuk @viragomann
            last edited by jjuk

            @viragomann
            About Windows. I explicitly enabled its firewall rule "File and Printer Sharing (Echo Request - ICMPv4-In)" and set the Scope to "Any IP address". In order words, the Windows VMs allow ping from any network.

            I've just found that it's not only firewall doesn't work. Diagnostic ping from pfsense to the problematic Linux VMs also failed. In the previous post I said the issue happens after restart the VM. In fact, down and then up the interface also trigger the problem. I think the only thing that still work is the Linux VM can get IP address from pfsense DHCP.

            More about Windows VM . Right after it restart, it has the same problem as the Linux VM. However, in less than 10 seconds, its problem gone.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.