PfSense firewall blocking random web packets, large HTTP downloads just 'stop'

  • I've just set up a pfSense router, and am trying to figure out some strange behaviour. It's a fairly simple set up: I have a static IP from the ISP and a single PPPoE WAN interface and a single LAN interface. I've allowed DNS everywhere through the firewall, and browsing the internet generally works. I'm using pfsense 2.1-BETA1 (i386) from March 19th.

    Issues (these may be related):

    1. Large HTTP downloads will just 'stop' at some point, and never complete. I'm trying to download an ISO at the moment, and it has just given up at about 103MB out of 650MB. Despite multiple retries, 'large' downloads (things like ISOs etc) never complete.

    2. I'm seeting some strange things in the firewall logs about blocking outbound traffic on port 443:

    log entry:

    Mar 22 18:25:22 pf: 00:00:00.818527 rule 4/0(match): block out on pppoe0: (tos 0x0, ttl 63, id 3535, offset 0, flags [DF], proto TCP (6), length 893)
        Mar 22 18:25:22 pf:    <publicip>.44395 > Flags [FP.], seq 2278533959:2278534812, ack 270462703, win 262, length 853</publicip>


    Mar 22 18:32:10 pf: 00:00:22.972286 rule 3/0(match): block in on pppoe0: (tos 0x0, ttl 57, id 39991, offset 0, flags [DF], proto TCP (6), length 84)
        Mar 22 18:32:10 pf: > <publicip>.3684: Flags [FP.], cksum 0x8cdd (correct), seq 1848167695:1848167739, ack 810363008, win 501, length 44</publicip>

    The first appears to be a packet from me to a Google IP address bound for port 443\. The second appears to be a packet from the same IP, perhaps a response to a request. Why would this be blocked? In a typical NAT scenario, I would expect outbound packets to be permitted and established/related traffic to be permitted back in.
    If this type of traffic is blocked, why can I otherwise browse the web? Why isn't it broken everywhere?
    (I started to suspect this may be an MTU problem, so I made sure that the MTU was set at 1492 everywhere on the WAN side: on the ISP end, on the Modem (Draytek Vigor 120) and in the PPPoE WAN section of pfSense. Same thing still happens).

  • Those logs have nothing to do with the problem."blocked"_for_traffic_from_a_legitimate_connection,_why%3F

    The symptom indeed sounds like a MTU issue, lower/set the MSS clamping on WAN (MTU doesn't really matter there).

  • Ah, thanks for the link on that. I'll stop being concerned about the logs  :)

    The MSS wasn't set before, I've set it now to 1492 (same as MTU) to see if it will help things. I need to read up more on what MSS does and how it might be helping/hindering.

Log in to reply