Outbound Traffic Blocked for One Machine Only?



  • After a couple of days of banging my head against the wall, clearing my rules, rebuilding them and starting over. I have an issue that I cannot resolve. I am hoping that your brain-power will tell me the answer.

    I have built and deployed a pfSense router/firewall, and all of my computers (PC's, Mac's, Servers, etc.) can get out to the Internet via the new router just fine, except for one server.

    Here's an example of what's in the Firewall Logs:
    Dec 27 21:53:43 LAN 10.0.14.39:49373 64.94.18.209:80 TCP:P
    Dec 27 21:53:44 LAN 10.0.14.39:49373 64.94.18.209:80 TCP:P
    Dec 27 21:53:44 LAN 10.0.14.39:49373 64.94.18.209:80 TCP:P
    Dec 27 21:53:46 LAN 10.0.14.39:49373 64.94.18.209:80 TCP:P
    Dec 27 21:53:48 LAN 10.0.14.39:49373 64.94.18.209:80 TCP:P
    Dec 27 21:53:53 LAN 10.0.14.39:49373 64.94.18.209:80 TCP:P
    Dec 27 21:54:02 LAN 10.0.14.39:49373 64.94.18.209:80 TCP:R

    Like I stated earlier - ALL other machines on the network can get out on port 80 (443, 21, etc…) just fine. However this one is being blocked. I have run out of places to look.

    The server in question is the "10.0.14.39" address shown above, and the destination is simply Google.

    What am I missing here?

    Thanks,
    Timm



  • Please post a screenshot of your firewall rules.



  • Screenshots attached.






  • I'm starting to think it's the NAT, not the rules… however, I'm not sure where to fix it.



  • I can't see anything wrong with the rules, or why NAT would cause issues (unless you've changed the NAT settings from the defaults). I'd look at what's different about that server - netmask, default gateway, IP address, proxy settings etc.



  • I figured it out. It was the outbound NAT.

    I have 15 static public IP's, with 13 of them being virtual IP's, and 8 of those NAT to the inside. When I tested the second, third, etc. servers - after building the VIP and NAT - they were showing the router's IP address (using whatismyip.com) in the web browser, not their assigned external IP.

    I turned the outbound mode to "manual" and ticked the "static port" box. Saved and applied the changes and now each server needing NAT to an external IP shows the correct IP.


Locked