Pfsense blocking internal Lan interface traffic



  • hi guys;

    i have a pfsense 2.0.2-RELEASE (amd64) on a Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz and 4 gig ram.

    –---------------------------------------------------------------------------------
    MODEM[192.168.168.1]<–->192.168.168.2pfSense(LAN)<–->[xx.xx.xx.xx/27]
    –---------------------------------------------------------------------------------

    it has two interfaces

    1-WAN
    2-LAN

    Wan interface has ip of 192.168.168.2 to connect with modem and modem has 192.168.168.1 and the internet connection is ok.
    Lan interface has a network with public ip block sub of 27. and pfSense is the gateway of this network/27.

    the problem is, it blocks inbound traffic. my sub 27 network sometimes drops traffic. and this is really silly. for example one of pc's in this network can reach internet without any problem but i can not connect to cisco switch in this network. indeed my connection to cisco(telnet) is being dropped.

    in LAN rules there is a rule of source "pass xxx.xxx.xxx.xxx/27(my public ip network) to any destination with any protocol"

    any help appreciated


  • Netgate Administrator

    Hmm. Slightly unusual setup you have there with private IP on the WAN side and public IPs on the LAN side.
    Your modem presumably has a public IP on it's ISP facing interface, is it in the same block as your LAN?

    When you telnet from a client to your switch, both of which are on your LAN, the traffic does not go through the pfSense box at all so it cannot be blocked. If you can't do that it's a routing issue. I would guess that one or more devices has the wrong subnet mask set.

    Steve



  • @stephenw10:

    Hmm. Slightly unusual setup you have there with private IP on the WAN side and public IPs on the LAN side.
    Your modem presumably has a public IP on it's ISP facing interface, is it in the same block as your LAN?

    When you telnet from a client to your switch, both of which are on your LAN, the traffic does not go through the pfSense box at all so it cannot be blocked. If you can't do that it's a routing issue. I would guess that one or more devices has the wrong subnet mask set.

    Steve

    yes, modem has it's public ip on isp facing interface.

    and yes you are right but let me show you my firewall logs;

    block
    Mar 29 11:43:31 LAN 7xx.xxx.xxx.xxx:23922 7xx.xxx.xxx.xxx:23 TCP:R
    block
    Mar 29 11:43:12 LAN 7xx.xxx.xxx.xxx:23922 7xx.xxx.xxx.xxx:23 TCP:R
    block
    Mar 29 11:42:52 LAN 7xx.xxx.xxx.xxx:23922 7xx.xxx.xxx.xxx:23 TCP:R
    block
    Mar 29 11:42:33 LAN 7xx.xxx.xxx.xxx:23922 7xx.xxx.xxx.xxx:23         TCP:R
    block
    Mar 29 11:42:13 LAN 7xx.xxx.xxx.xxx:23922 7xx.xxx.xxx.xxx:23         TCP:R


  • Netgate Administrator

    The fact that that traffic is reaching the pfSense box shows that some thing is setup incorrectly, probably the client machine. If it has its subnet mask set wrong it might send packets that should go directly to the switch instead to it's configured gateway, probably the pfSense LAN interface. Then pfSense has a problem because it can't route in and out of the same interface. I'm not sure which firewall you are seeing there, could be an internal rule to prevent this sort of thing happening.

    Steve



  • @stephenw10:

    The fact that that traffic is reaching the pfSense box shows that some thing is setup incorrectly, probably the client machine. If it has its subnet mask set wrong it might send packets that should go directly to the switch instead to it's configured gateway, probably the pfSense LAN interface. Then pfSense has a problem because it can't route in and out of the same interface. I'm not sure which firewall you are seeing there, could be an internal rule to prevent this sort of thing happening.

    Steve

    i restarted the problematic pc and change the ip; now it is working


Locked