Different Default deny problem



  • I'm familiar with the http://doc.pfsense.org/index.php/Logs_show_"blocked"_for_traffic_from_a_legitimate_connection%2C_why%3F default deny problem, but I don't think that's what my issue is.  I have a ton of default denies filling up my logs.  I think the traffic is getting to its location, but I want to try to get rid of all the erroneous log entries.  The reason listed in the link above is network latency.  The reason I don't think this applies is because 99 percent of these default denies are from the DMZ to the LAN.  I don't think the switch + firewall is creating enough latency to cause retransmits.  I have an idea of what might be causing it, but I'm not sure.  Here's a rundown of my current setup.

    2 Firewalls with CARP

    Firewall1
    Wan - xxx.xxx.xxx.197
    LAN - 192.168.10.2
    DMZ - 192.168.11.2

    Firewall2
    Wan - xxx.xxx.xxx.198
    LAN - 192.168.10.3
    DMZ - 192.168.11.3

    CARPs
    WAN - xxx.xxx.xxx.196
    LAN - 192.168.10.1
    DMZ - 192.168.11.1

    I have outbound NAT rules in place to use the WAN CARP address for outbound traffic.  As I said, the firewall entries that show up are generally for traffic traveling from the DMZ to the LAN.  My current theory on what is happening is some form of weird asynchronous routing.  The box in the DMZ uses 192.168.11.1 as its gateway, but responses are received from 192.168.11.2 the actual IP of the interface, not the CARP address.  Does this sound plausible, and if so what is the recommended fix?



  • Anyone have any ideas?


Log in to reply