TCP ACK packets being blocked

  • I've set up a pfsense machine as a transparent firewall (i.e. bridging the LAN and WAN interfaces, no routing) for a branch office.
    Since I do not need to filter outgoing traffic, I just created a LAN-side rule to allow all traffic on all protocols.
    At the same time I am filtering incoming traffic.
    All seems to work somehow (i.e. no connections fail), but there's a certain sluggishness in performance, expecially when establishing connections, so I've had a close look at the firewall logs.
    Apparently the firewall is discarding some or all TCP packets (both incoming and outgoing) with an ACK flag, i.e. for example TCP packets with the SA, RA and FA flags.

    An example log entry would be:
    [timestamp] WAN [IP address of some remote web site]:80 [IP address of one of my LAN hosts]:60665 TCP:SA
    Another example would be the opposite, i.e.
    [timestamp] [IP address of a LAN host]:60665 [IP address of some remote web site]:80 TCP:RA

    In theory, since pfsense is a stateful firewall and there is a pass-all rule in place for outgoing traffic, all traffic going from LAN to WAN should pass, as should all the WAN to LAN traffic that is related to a connection which was initiated on the LAN side (as surely is a SA packet from a web server acknowledging the SYN request).

    I've already tried the following, to no avail:

    • set the "pass-all" rule to "sloppy state" instead of "keep state"
    • set the "" setting to "1" instead of default (0)
    • set the "Clear invalid DF bits instead of dropping the packets" option to "on"
      None of the above worked.

    Can you help me? Thanks

  • I was about to start a thread on this issue and then, after a search, I found yours.
    I'm having similar/identical issues.
    One difference in my implementation is that I also filter outgoing connections.

    Have you found the cause?
    Anyone can help?

  • I just read the following thread,25795.0.html.
    It also points to,_why%3F, which states that "It is harmless, and does not indicate an actual blocked connection".

    However, users are still reporting problems connecting to a web site or to a mail server (on port 443).

    Anything else that can be done?

Log in to reply