• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Solved] Mysterious firewall rule or feature blocking outgoing LAN traffic?

Scheduled Pinned Locked Moved Firewalling
3 Posts 2 Posters 412 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    lifeboy
    last edited by lifeboy Sep 28, 2023, 10:02 AM Sep 27, 2023, 2:33 PM

    I have a Virtual Machine on a proxmox cluster that was working perfectly for quite some time, until a restart recently. The machine is NATted via pfSense.

    The rules are simple. Outgoing traffic from all the LAN addresses / VM Guests is allowed. The LAN is 192.168.121.0/24.
    I see the traffic existing the firewall when I inspect the firewall rules log, but the guest is not able to reach any ip address past the firewall default gateway.
    For example: I should be able to ping 8.8.8.8 and I actually can from other guests. From this particular guest, which runs Debian 12, I cannot. The guest is on 192.168.121.201.

    # ping 197.214.117.194
PING 197.214.117.194 (197.214.117.194) 56(84) bytes of data.
64 bytes from 197.214.117.194: icmp_seq=1 ttl=64 time=0.228 ms
64 bytes from 197.214.117.194: icmp_seq=2 ttl=64 time=0.295 ms
^C
--- 197.214.117.194 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2044ms
rtt min/avg/max/mdev = 0.228/0.284/0.330/0.042 ms
# ping 197.214.117.193
PING 197.214.117.193 (197.214.117.193) 56(84) bytes of data.
^C
--- 197.214.117.193 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3059ms

# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3067ms

    bae41b10-2224-4dee-b9e5-1cde437f5095-image.png

    So the traffic gets to the gateway, but not to the next hop.

    I have searched high and low in the settings to see what it may be that's blocking the traffic (which was being passed fine not too long ago), but can't find it.

    Anyone have an idea of where to look?

    V 1 Reply Last reply Sep 27, 2023, 3:20 PM Reply Quote 0
    • V
      viragomann @lifeboy
      last edited by Sep 27, 2023, 3:20 PM

      @lifeboy said in Mysterious firewall rule or feature blocking outgoing LAN traffic?:

      The LAN is 192.168.121.0/24.
      For example: I should be able to ping 8.8.8.8 and I actually can from other guests. From this particular guest, which runs Debian 12, I cannot. The guest is on 192.168.121.201.

      Ensure that the outbound NAT rule covers the whole LAN subnet.

      To further investigate sniff the traffic on the WAN interface.
      For instance, when you ping 8.8.8.8 from the concerned VM, set 8.8.8.8 as host filter and ICMP as protocol filter.
      Ensure that 8.8.8.8 is not used for gateway monitoring. If so, disable the monitoring for the tests.

      L 1 Reply Last reply Sep 27, 2023, 3:39 PM Reply Quote 0
      • L
        lifeboy @viragomann
        last edited by Sep 27, 2023, 3:39 PM

        @viragomann I have discovered that as soon as I remove the 1:1 NAT mapping, it all works. So the specific public ip address is probably being blocked for some reason by the upstream router.

        1 Reply Last reply Reply Quote 0
        1 out of 3
        • First post
          1/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received