PfSese block HTTP response



  • My network have 2 gateway coure router and pfSense

    Everything is fine if server point gateway to core router.

    [HTTP Request]
    client –> router --> server
    [HTTP Response]
    server –> router --> client

    Problem occure when change gateway to pfSense. Any HTTP response has been blocked

    [HTTP Request]
    client –> router --> server
    [HTTP Response]
    server –> pfSense --> router --> client

    I try to add pfSense rule to allow traffic tcp:server:80 --> any but not success  ???

    Thank for advice.
    Yoon


  • LAYER 8 Global Moderator

    Your second diagram makes no sense, if you changed the clients gateway to pfsense why would you show it talking to only the router on request?

    And then why would it come back through pfsense and then the router before going to client?

    How exactly you have your network setup would be helpful.  Is router and pfsense inline?  Are they just routing or natting?  Is one of them bridging vs routing? etc.

    From your brief description I would take it your router and pfsense have either different wan connections or have different IPs on the same wan network and then different IPs on the same lan network?

    You normally do not want traffic taking different paths, ie if traffic left your router and then response hit the wan interface of pfsense.  pfsense would not have a state of your request to know where to send the response packet for your request so it would be dropped, unless you have a specific foward that said send traffic from knownip source port 80 o ALL dst ports to client IP..  How would pfsense know the dst port of the response from the http server that went out your router?

    You do understand that the response back from your http server your trying to talk to would be from src 80 and the dst port would be the random >1024 that your client used to make the request so allowing 80 into your pfsense not going to help any.



  • You're creating a mess there with trying to statefully firewall asymmetrically routed traffic (with any firewall), you can't add rules to allow that. Firewalls must see both directions to be able to properly filter. No idea why you would want to have that kind of setup, so not sure on what alternative to suggest that's sane.


Log in to reply