Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default Deny Rule blocking traffic between interfaces

    Scheduled Pinned Locked Moved Firewalling
    16 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DaHai8
      last edited by

      Trying to figure out why this is happening:
      Browser on network port igc1 (172.29.2.0/24, aka Trinity) trying to access web site (Home Assistant) on port igc2 (17.29.3.0/24, aka Neo) and the return packets are getting block by a Default Deny Rule. The odd part is this used to work just a few days ago, but I don't recall changing anything in the Firewall Rules:
      bad3373d-2fe5-4112-9508-e82a3a373d1a-image.png

      d0340123-1c74-4ad4-97b4-42dfdc6becfe-image.png

      73ca2678-f342-43f2-bf6f-a604156f88e0-image.png

      Ping between the two devices works both ways, and traceroute reports just 2 hops (both ways).

      Not sure what I've done wrong or how to fix this.
      I realize I can just click on the + in the log and pass those packets, but I'd like to understand how/why they are being blocked to begin with.

      Any ideas or need more info?
      pfSense CE 2.7.2

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @DaHai8
        last edited by

        @DaHai8 it may be https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        D 1 Reply Last reply Reply Quote 0
        • D
          DaHai8 @SteveITS
          last edited by

          @SteveITS : Thank you for the suggestion. I checked the “Allow IP Options” for IPv4 on both Neo and Trinity, but I'm still not able to access the HA server on Neo from Trinity. The browser just sits and spins.

          6958c1e0-2f47-4708-91d9-27903cdbdcef-image.png

          And these entries are still appearing in the Firewall Log:
          7a161f2f-3999-4ac2-a6ae-3505257b9c72-image.png

          No perhaps NOT a firewall issue?
          I was just over on the HA forum thinking it was a HA issue and that's when a suggestion to check the pfsense logs led me here.
          Now I don't know what to think...argh

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @DaHai8
            last edited by

            @DaHai8 ok, you had said the return packet was being blocked, which isn’t a thing because pfSense is stateful. Packets are allowed or blocked as they arrive on an interface.

            The IP Options thing I don’t think would be relevant here. I was more referring to the “out of state” part of the doc.

            So the connection isn’t blocked by pfSense, and you’re seeing responses at pfSense. And pinging works. Does your browser network console/output show anything? Incognito window?

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            D 1 Reply Last reply Reply Quote 1
            • D
              DaHai8 @SteveITS
              last edited by

              @SteveITS : Thanks for the suggestions!

              When trying to connect to HA on 172.29.3.3 from 172.29.2.x from a Chrome Web browser, the connection eventually times out with "The Connection was reset".
              Running Windows Network Diagnostics returned "The troubleshooter couldn't identify the problem"
              Looking at the DevTools Network Console, when I first try to access HA via its URL, it does a Request URL data:image/png;base64, Request Method: GET. The Response failed (there was no response).
              The summary at the bottom shows: 5 requests, 0 B transferred

              1 Reply Last reply Reply Quote 0
              • D
                DaHai8
                last edited by

                This is odd. I could have sworn I could ping the browser PC on 172.29.2.104 from HA on 172.29.3.4, but now I cannot. Maybe I had confused myself before.

                From Windows PC to Home Assistant
                38452fd2-8f04-47c8-b592-5493b8515073-PXL_20250604_083301436~2.jpg

                From Home Assistant to Windows PC
                93eda233-6543-4ebf-848b-8c8477cb650c-image.png

                The more things I check, the more confused I get! 😧

                1 Reply Last reply Reply Quote 0
                • D
                  DaHai8
                  last edited by

                  Ok. Turns out Windows PCs don't like to be pinged.
                  iPads don't care.
                  b53c42b2-df5b-4cbe-a60a-9b5f6346753d-image.png

                  So data (pings) are crossing over between 172.29.2.x and 172.29.3.x

                  Back to square one...

                  S johnpozJ 2 Replies Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @DaHai8
                    last edited by

                    @DaHai8 said in Default Deny Rule blocking traffic between interfaces:

                    Windows PCs don't like to be pinged

                    Possibly, a firewall rule on it is only allowing ICMP from the local subnet.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @DaHai8
                      last edited by johnpoz

                      @DaHai8 that screams asymmetrical, I would expect to see a SA though. Maybe you just didn't post screenshot with SA?

                      Your states could of gotten flushed, so pfsense no longer sees a state to allow the return traffic.

                      If that was the case I would expect it to recover - since the device should give up and start a new session.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        DaHai8 @johnpoz
                        last edited by

                        @johnpoz : Thanks for the suggestions!

                        I let it run again, from my Pixel Phone on 172.29.2.102 until its finally timed out, then checked the Firewall logs: No 'SA' anywhere. Just 'A' and 'PA'

                        At this point, I don't know what's going on. I think I'll just 'Listen to the Music Play' and set this aside for awhile. 👍

                        Thanks everyone!

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @DaHai8
                          last edited by johnpoz

                          @DaHai8 you were doing this on a phone? they have problems with using old sessions, possible it just didn't open a new one after pfsense had closed an old state.

                          But yeah can always just listen to the music play!!

                          Youtube Video

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          D 1 Reply Last reply Reply Quote 0
                          • D
                            DaHai8 @johnpoz
                            last edited by

                            @johnpoz : I've tried Pixel 6 Chrome Browser, Windows 10 and 11 Chrome Browser and iPad Home Assistant App.

                            Grateful Dead, nice choice. I'm more Dark Side of Moon myself 😄

                            Cheers.

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @DaHai8
                              last edited by johnpoz

                              @DaHai8 I would sniff to see if you are seeing the SA, and then just traffic stops? Maybe one side sent a fin or a rst - and the state closed.

                              You really need to see a packet capture that captures the full conversation.

                              The reason ack are blocked is there is no state to allow it.. Why the state is not there is what you need to figure out. Either your traffic is asymmetrical and pfsense never saw the syn to open the state. Or the state went away at some point and that is when you start seeing blocks.

                              You can sniff on pfsense with packet capture under diagnostics, or you could always fire up wireshark on your windows machine.

                              edit - this trace looks really wrong to me.. Why would you have 2 hops in the same network? And that first hop - that is odd name for your pfsense box ;)

                              network.jpg

                              Can you put together a napkin drawing of how you have this connected together - what are the 3.3 and 3.1 boxes?

                              This is how a trace should work from a device in one network talking to another network attached to pfsense

                              $ tracert 192.168.3.32
                              
                              Tracing route to ntp.home.arpa [192.168.3.32]
                              over a maximum of 30 hops:
                              
                                1     1 ms     1 ms     1 ms  sg4860.home.arpa [192.168.9.253]
                                2     1 ms     1 ms     1 ms  ntp.home.arpa [192.168.3.32]
                              

                              My pc at 192.168.9.100/24 sends traffic to its gateway (pfsense) then pfsense sends that on to the 192.168.3.32 IP address.. Since pfsense is directly attached to both the 192.168.9 and 192.168.3 network.

                              Also that first hop - .007 ms - that has to be itself that your tracing from - is that a container network or something? Are you running this stuff as VM?

                              If your tracing from a 172.29.2.x - why is your first hop an IP in 172.30.32??

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              D 1 Reply Last reply Reply Quote 0
                              • D
                                DaHai8 @johnpoz
                                last edited by

                                @johnpoz : I will look into this after the weekend, and post back soon after.
                                Thanks for all the help/suggestions!

                                S 1 Reply Last reply Reply Quote 0
                                • S
                                  Spiney @DaHai8
                                  last edited by

                                  @DaHai8 Have a look at this : NetGate IP-Options.

                                  I was having similar problems which seemed to appear within the last week. I tried everything, and this finally appears to have worked.

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator @Spiney
                                    last edited by

                                    @Spiney ip options is not his issue that is for sure.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.