How to allow some packets out?
-
Hi. I have a network setup with 2 vlans, and one of them has some issues. Pfsense is the router, and i set it up to allow all packets from lan2 to anywhere. It still blocks some packets with some unusual flags: tcp:ra, pa,r,a, etc. from what i gather those are some problematic packets? How do i allow them, as the roborock vacuum seems to not connect always?
Thank you! -
@Cobrax2 said in How to allow some packets out?:
are some problematic packets?
Those are not problem packets, those are out of state packets.. So either your state is missing, or you have asymmetrical traffic.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html
States can time out, or maybe you reset them on gateway going down, etc.. But quite often when you mention more than 1 network is you have asymmetrical flow.
Wireless clients, or clients that have been in standby etc.. Sometimes will try just continue/reuse a session that is no longer active on the firewall. Have seen wireless clients that move from say cell to wifi from one wifi network to another try to use a session it had open on the other and well the firewall never saw the connection being opened with SYN, so there is no state so yeah going to block.
If you see these now and then and everything is working then you could just ignore them, or you could turn off logging of the default deny and only log what you want so they don't show up in the log. But yeah its a good idea to get to the root of the problem - be it they are just normal because a client tried to use an old session, or you have an issue that needs to be correct.
If a client tries an old session, and it doesn't work it would just create a new session which would send a SYN, and then the firewall would create a state if that traffic is allowed.
-
@johnpoz so what can i do if this client (actually 2 of them, 1 roborock vacuum r9bot and 1 sony tv) doesnt try to open a new connection? Instead it keep reusing the old one, and goes offline? Can i do something about those old connections not to get blocked? Or increase the time when they expire or something?
Thanks -
@Cobrax2 did you try restarting them.. Any client that does networking needs to know to when to try a new connection or its broken.
See those R and RAs you list - those are the client saying hey I am done with this connection, its being reset..
So just allowing those through not going to fix the connection to the outside.. For one where its talking has most likely closed the session as well so wouldn't work.. And if the state is gone on pfsense, then the nat would be gone as well.. So now the client trying to use a very old session would be coming from a different source port because pfsense would have to create a new napt connection, etc.
And if your device is sending a R or RA - its done with this connection anyway.. So if it told the other end to close the session, no new data would be coming over this session anyway.
I would restart your device(s). There is no way they could try and continue to use an old session if they are rebooted.
-
@johnpoz what about tcp:pa ?
Also, could these errors be related to the fact that i have the clients conn3cted to a tomato router with 2 vlans, and then to pfsense? -
Is that also routing? Is it in the same subnet? Two routers, one subnet is a good way to create asymmetric routing. It shouldn't be a problem if it's just a downstream router with different subnets though.
Generally though TCP flagged packets like that are just the result of the client or server sending an ACK after the firewall closed the state and should not cause a problem.
YOu can try increasing the state timeout value:
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-optimization-optionsSteve
-
@stephenw10 i dont know if you are familiar with freshtomato.
I have on this r7000 router 2 vlans: vlan1, and vlan10. Each has a wifi network bridged to it. Vlan1 is the normal one, and vlan10 is for iot, as i wanted it to be separated. Vlan10 has bridged a virtual wireless network to it. Each lan gets to the internet via its own ethernet cable to the dual intel nic on pfsense. I dont know if there is some error on tomato that causes thise states... -
If they are connected to separate cables why use VLANs? Perhaps the freshtomato devices requires that for it's internal switch?
You could just put both VLANs on one link to pfSense, though both ways should work fine if everything is configured correctly.Anyway it sounds like the freshtomato device is not routing (or shouldn't be) so it shouldn't be the source of asymmetry.
If you connect some other client to the IOT SSID can it connect out as expected?
-
@stephenw10 i dont know how to separate the networks on freshtomato without vlans. I had it on just one cable at some point, and couldnt make it work very well (i am no expert, so probably my fault). But with 2 cables it works mostly lol. It's just that the tv and the roborock sometimes work, sometimes they dont. If i connect a phone to the iot network, it works ok. So probably those *smart appliances have some stricter requirements. For example, when i used tagged network over 1 cable, the tv never wanted to connect at all lol. So i had to do vlans without tags.
-
Well as I say both ways should work if configured right. I've not played with Tomato specifically but I'm familiar with dd-wrt and openwrt and both would require VLANs internally for most devices.
If a phone works on that ssid it's probably fine.
