Allowed traffic showing as blocked by non-active Firewall in 2 firewall config

  • I have 2 pfSense 1.2.3-RELEASE firewalls set up with CARP.  Config:


    the LAN has full access to initiate connections to the DMZ and everything appears to work fine.  I compared the firewall rules on the primary and secondary pfSense boxes and they are identical.

    I have "Log packets blocked by the default rule" turned on on both pfsense boxes.

    Everything looks fine in the firewall log on the primary pfSense box, but the odd thing I see is that the non-active pfSense box firewall log is showing traffic from the LAN to the DMZ as being blocked by:

    Source: 172.20.x.y (LAN)
    Destination: 172.19.a.b (DMZ)

    @220 block drop in log quick all label "Default deny rule"

    Is this some hidden rule that keeps the non-active pfSense box from duplicating the traffic onto the DMZ?  Seems like if that was the case there would be a similar rule and weird entries for the WAN interface (which I'm not seeing).


  • Ah, I think I have a better understanding of what is really happening here.

    The only IP addresses that are showing up are ones that are for a Microsoft Load Balanced IP with two members.  I guessing what is getting blocked are the packets that are viewed as out of order by the non-active based on the fact that the primary firewall has already gotten past the part of the connection setup that a given packet type would be expected.

    So sorry for the false-alarm.  I just noticed when I went back through the logs that it was only happening on the LB IPs.

    The more I'm exposed to this implementation of load balancing the less I like it–unfortunately, we are committed to this at least for the near future.

Log in to reply