Firewall blocking some LAN to LAN traffic



  • I have two networks connected to the Internet thru PFSense that also talk with each other.

    PFSense has two internet connects
    LAN 1 attached to pfsense 192.168.1.0/24
    LAN 2 is connected to LAN 1
    LAN 2 is 192.168.11.0/24

    LAN 2 Router is 192.168.1.251
    PFSense has a route/gateway setup to pass all traffic for 192.168.11.0/24 to 192.168.1.251

    Everything works, I can surf the internet from both LANS and that is fine. I can connect from the Internet and RDP to a computer in the 192.168.11.0/24 subnet.

    I can't RDP for long from 192.168.1.0/24 subnet to 192.168.11.0/24 subnet  the connection gets blocked by the firewall, then reconnects then blocks then reconnects and on and on. So it kind of works then not…

    These are the log entries.

    
    Feb 29 13:36:47	LAN	   192.168.1.173:62354	   192.168.11.197:3389	TCP:A
    
    Feb 29 13:36:49	LAN	   192.168.1.173:62354	   192.168.11.197:3389	TCP:A
    
    Feb 29 13:36:51	LAN	   192.168.1.173:62354	   192.168.11.197:3389
    
    

    when I click the red X, It says the "Default deny rule"

    I must be missing something simple?



  • Give us a network map.





  • Just to be clear, what is the LAN IP on PFsense?  Regarding "switch 192.168.1.0/24" are you saying that it's a level 3 switch or just stating the LAN subnet coming from PFsense.  I'm guessing it's just the subnet, but let's clarify and add all the details.

    After that, I would say:

    1.  give us your firewall rules that allow traffic in both directions along with PFsense's routing table
    2.  give us the routing table on ubiquiti loco (router mode) sitting on 192.168.1.251



  • LAN IP is 192.168.1.1

    Its one physical switch that is represented

    LAN Rules
    Internal is an alias for 192.168.1 and 192.168.11 subnets

    
    ID	Proto	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	
    
     *	*	*	LAN Address	22,80,443	*	*		Anti-Lockout Rule	
    *	 192.168.11.0/24	 *	 *	 *	 *	 none	  	 Default allow Nebar to any rule 	
    *	 LAN net	 *	 192.168.11.0/24	 *	 Nebar	 none	  	 Default allow LAN to any rule 	
    TCP	Internal	 *	 *	 443 (HTTPS)	 LoadBalance_Secure	 none	  	 SSL Static 	
    *	Internal	 *	 *	 *	 LoadBalance_Night	 none	  Night	 Default allow LAN to any rule 	
    *	Internal	 *	 *	 *	 LoadBalance	 none	  	 Default allow LAN to any rule 	
     *	 *	 *	 *	 *	 *	 none	  	 Pass All 
    

    PFSense Route Table

    Destination	Gateway	Flags	Refs	Use	Mtu	Netif	Expire
    default	68.178.124.1	UGS	0	395589	1500	vr2	 
    10.5.5.0/24	link#2	U	0	907008	1500	vr1	 
    10.5.5.2	00:0d:b9:26:5d:ad	UHS	0	744	1500	vr1	 
    10.5.5.3	00:0d:b9:26:5d:ad	UHS	0	732	1500	vr1	 
    10.5.5.221	link#2	UHS	0	207	16384	lo0	 
    68.178.124.0/24	link#3	U	0	62628	1500	vr2	 
    68.178.124.189	link#3	UHS	0	3	16384	lo0	 
    127.0.0.1	link#5	UH	0	464	16384	lo0	 
    192.168.1.0/24	link#1	U	0	37586441	1500	vr0	 
    192.168.1.1	link#1	UHS	0	0	16384	lo0	 
    192.168.2.0/24	10.5.5.1	UGS	0	1189298	1500	vr1	 
    192.168.11.0/24	192.168.1.251	UGS	0	1309881	1500	vr0	 
    
    

    more logs of SOME traffic being blocked from 192.168.1.0 subnet to 192.168.11.0 subnet (not all traffic is blocked)

    
    Mar 1 06:18:50	LAN	   192.168.1.53:515	   192.168.11.250:731	TCP:SA
    
    Mar 1 06:19:50	LAN	   192.168.1.53:515	   192.168.11.250:731	TCP:SA
    
    Mar 1 06:19:56	LAN	   192.168.1.53:515	   192.168.11.250:731	TCP:SA
    
    Mar 1 06:21:00	LAN	   192.168.1.53:515	   192.168.11.250:731	TCP:SA
    
    Mar 1 06:22:04	LAN	   192.168.1.53:515	   192.168.11.250:731	TCP:SA
    
    Mar 1 06:23:08	LAN	   192.168.1.53:515	   192.168.11.250:731	TCP:SA
    

    Loco Route Table

    192.168.1.0	0.0.0.0	255.255.255.0	WLAN
    192.168.11.0	0.0.0.0	255.255.255.0	LAN
    0.0.0.0	192.168.1.1	0.0.0.0	WLAN
    


  • Can't statefully filter asymmetrically routed traffic. System>Advanced, Firewall/NAT, check "Bypass firewall rules for traffic on the same interface"


Log in to reply