Firewall - Block by Default Deny rule

eeebbune

Hello,

I'm having a weird issue and need your advice for what I missed.

I have created one of interface named 'MGMT' and the interface IP address is:

• 10.100.23.1/24
  One of laptop is directly connected to this interface and has:
  -10.100.23.11/24

On my floating rule, very top, I have created 'this laptop could reach internet'.

However, whenever I tried to search from Google, all websites gives me 'not connection' error.
Firewall is rejecting my access, and I have no idea why it blocks my PC.

I have allow rule on both 'Floating' tab and MGMT interface tab.

What makes my internet access?

Thank you for giving your time.

johnpoz

@eeebbune Don't see any hits on that rule - see how its 0/0 B, what is the destination port(s) you have set. What is this alias you setup private_ip?

What are the rule you have on your mgmt interface?

If default deny is trigging this means your allow rules are not being triggered.

From what you posted with floating 0/0 B, this rule never triggered for some reason.. Maybe mistake in your private_ip alias, maybe you have a specific port set in the destination

You didn't post your mgmt rules - but if your allow does not trigger and in your rules then yes it would drop all the way down and the default deny would block it.

eeebbune

@johnpoz

Hello, here are my rules in MGMT interface.

Alias 'PRIVATE_IP' has
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
Alias 'FW_MGMT' has
10.100.23.0/24

Actually even though I put allow rule from FW_MGMT to Any, it didn't work.

Weird part is when I try ping.
I have allow ICMP rule on floating rule, and my laptop (10.100.23.11) is able to ping.

I couldn't find why my laptop can't reach to internet. (Laptop DNS=8.8.8.8)

Thank you.

johnpoz

@eeebbune what is FW_mgmt as source? From your firewall hit the interface is just MGMT..

If you see no info like you do on that ping rule and are 0/0 B then the rule is never trigging.. Either you have it on the wrong interface or whatever info you put in the rule is not matching your traffic your wanting to allow.

SteveITS

@eeebbune If FW_MGMT is a custom alias you don't need that, I'd expect to see the default "___ subnets" alias there which should be in the dropdown:

rule:

eeebbune

@SteveITS

Sadly, the result is same when I changed my source to Any or MGMT interface..

To make sure entire configuration, I have created TAC.
Hopefully TAC noticed what did I miss.

Thank you,

johnpoz

@eeebbune well mgmt address is sure and the hell not going to work.. How would pfsense mgmt address be the source of traffic coming into your mgmt interface.

@SteveITS gave you a picture showing mgmt "subnets"

eeebbune

@johnpoz
That was because of state table size was not enough as per TAC. After I changed it was resolved.

I appreciate you and everyone's attention.

Thank you!!

johnpoz

@eeebbune While you might of had some sort of state table issue.. But there is no way the source IP of traffic into interface is going to be its own address.. When your trying to talk to it from device on that network.

Glad you got it sorted, but that rule you posted of mgmt address with desc allow to reach internet makes zero sense..