Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall blocking some LAN to LAN traffic

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 3 Posters 6.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      salmonbaytech
      last edited by

      I have two networks connected to the Internet thru PFSense that also talk with each other.

      PFSense has two internet connects
      LAN 1 attached to pfsense 192.168.1.0/24
      LAN 2 is connected to LAN 1
      LAN 2 is 192.168.11.0/24

      LAN 2 Router is 192.168.1.251
      PFSense has a route/gateway setup to pass all traffic for 192.168.11.0/24 to 192.168.1.251

      Everything works, I can surf the internet from both LANS and that is fine. I can connect from the Internet and RDP to a computer in the 192.168.11.0/24 subnet.

      I can't RDP for long from 192.168.1.0/24 subnet to 192.168.11.0/24 subnet  the connection gets blocked by the firewall, then reconnects then blocks then reconnects and on and on. So it kind of works then not…

      These are the log entries.

      
      Feb 29 13:36:47	LAN	   192.168.1.173:62354	   192.168.11.197:3389	TCP:A
      
      Feb 29 13:36:49	LAN	   192.168.1.173:62354	   192.168.11.197:3389	TCP:A
      
      Feb 29 13:36:51	LAN	   192.168.1.173:62354	   192.168.11.197:3389
      
      

      when I click the red X, It says the "Default deny rule"

      I must be missing something simple?

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        Give us a network map.

        1 Reply Last reply Reply Quote 0
        • S
          salmonbaytech
          last edited by

          1 Reply Last reply Reply Quote 0
          • M
            marvosa
            last edited by

            Just to be clear, what is the LAN IP on PFsense?  Regarding "switch 192.168.1.0/24" are you saying that it's a level 3 switch or just stating the LAN subnet coming from PFsense.  I'm guessing it's just the subnet, but let's clarify and add all the details.

            After that, I would say:

            1.  give us your firewall rules that allow traffic in both directions along with PFsense's routing table
            2.  give us the routing table on ubiquiti loco (router mode) sitting on 192.168.1.251

            1 Reply Last reply Reply Quote 0
            • S
              salmonbaytech
              last edited by

              LAN IP is 192.168.1.1

              Its one physical switch that is represented

              LAN Rules
              Internal is an alias for 192.168.1 and 192.168.11 subnets

              
              ID	Proto	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	
              
               *	*	*	LAN Address	22,80,443	*	*		Anti-Lockout Rule	
              *	 192.168.11.0/24	 *	 *	 *	 *	 none	  	 Default allow Nebar to any rule 	
              *	 LAN net	 *	 192.168.11.0/24	 *	 Nebar	 none	  	 Default allow LAN to any rule 	
              TCP	Internal	 *	 *	 443 (HTTPS)	 LoadBalance_Secure	 none	  	 SSL Static 	
              *	Internal	 *	 *	 *	 LoadBalance_Night	 none	  Night	 Default allow LAN to any rule 	
              *	Internal	 *	 *	 *	 LoadBalance	 none	  	 Default allow LAN to any rule 	
               *	 *	 *	 *	 *	 *	 none	  	 Pass All 
              

              PFSense Route Table

              Destination	Gateway	Flags	Refs	Use	Mtu	Netif	Expire
              default	68.178.124.1	UGS	0	395589	1500	vr2	 
              10.5.5.0/24	link#2	U	0	907008	1500	vr1	 
              10.5.5.2	00:0d:b9:26:5d:ad	UHS	0	744	1500	vr1	 
              10.5.5.3	00:0d:b9:26:5d:ad	UHS	0	732	1500	vr1	 
              10.5.5.221	link#2	UHS	0	207	16384	lo0	 
              68.178.124.0/24	link#3	U	0	62628	1500	vr2	 
              68.178.124.189	link#3	UHS	0	3	16384	lo0	 
              127.0.0.1	link#5	UH	0	464	16384	lo0	 
              192.168.1.0/24	link#1	U	0	37586441	1500	vr0	 
              192.168.1.1	link#1	UHS	0	0	16384	lo0	 
              192.168.2.0/24	10.5.5.1	UGS	0	1189298	1500	vr1	 
              192.168.11.0/24	192.168.1.251	UGS	0	1309881	1500	vr0	 
              
              

              more logs of SOME traffic being blocked from 192.168.1.0 subnet to 192.168.11.0 subnet (not all traffic is blocked)

              
              Mar 1 06:18:50	LAN	   192.168.1.53:515	   192.168.11.250:731	TCP:SA
              
              Mar 1 06:19:50	LAN	   192.168.1.53:515	   192.168.11.250:731	TCP:SA
              
              Mar 1 06:19:56	LAN	   192.168.1.53:515	   192.168.11.250:731	TCP:SA
              
              Mar 1 06:21:00	LAN	   192.168.1.53:515	   192.168.11.250:731	TCP:SA
              
              Mar 1 06:22:04	LAN	   192.168.1.53:515	   192.168.11.250:731	TCP:SA
              
              Mar 1 06:23:08	LAN	   192.168.1.53:515	   192.168.11.250:731	TCP:SA
              

              Loco Route Table

              192.168.1.0	0.0.0.0	255.255.255.0	WLAN
              192.168.11.0	0.0.0.0	255.255.255.0	LAN
              0.0.0.0	192.168.1.1	0.0.0.0	WLAN
              
              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                Can't statefully filter asymmetrically routed traffic. System>Advanced, Firewall/NAT, check "Bypass firewall rules for traffic on the same interface"

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.