NetFlix/AmazonAWS blocked by "Default deny rule"



  • First off, I love pfSense.  Switched from FreeSCO to pfSense back in 2006.

    For what ever reason, NetFlix/AmazonAWS are tripping over the "Default deny rule".  I am seeing lots of entries like this in the firewall log:

     block 	Jun 26 03:08:15 	LAN 	10.0.0.181:54512  	54.244.243.130:443		TCP:RA
     block 	Jun 26 03:08:06 	LAN 	10.0.0.181:54512  	54.244.243.130:443		TCP:FPA
     block 	Jun 26 02:13:46 	LAN 	10.0.0.46:55723   	54.245.249.205:443		TCP:R
     block 	Jun 26 02:13:46 	LAN 	10.0.0.46:55723   	54.245.249.205:443		TCP:PA
     block 	Jun 26 01:51:06 	LAN 	10.0.0.46:55701   	50.112.111.223:443		TCP:R
     block 	Jun 26 01:51:06 	LAN 	10.0.0.46:55701   	50.112.111.223:443		TCP:PA
    

    And here is the reason message:
    @stuff:

    The rule that triggered this action is:
    @1 scrub on re0 all random-id fragment reassemble
    @1 block drop in log all label "Default deny rule"

    10.0.0.181 = iPad w/ NetFlix app
    10.0.0.46  = Win7 w/Browser

    I created an alias for the NetFlix/AmazonAWS subnets, but it only seems to make a (slight) difference if I enable logging on the rule.  Even then, NetFlix still doesn't load right or consistantly:

     pass 	Jun 26 02:52:27 	LAN 	10.0.0.46:54167 	54.245.88.62:443	TCP:S
     pass 	Jun 26 02:52:24 	LAN 	10.0.0.46:54166 	54.214.36.192:443	TCP:S
    

    NetFlix/AmazonAWS subnets:

    50.112.0.0/16
    54.208.0.0/13
    54.216.0.0/14
    54.220.0.0/15
    54.240.0.0/12
    108.175.32.0/20

    Allowing all outbound LAN traffic to 80/443 made no difference.


  • Rebel Alliance



  • I have similar problems here with Amazon S3 (uploading backups).

    I use Duplicati backup (a very good Open Source backup program like Duplicity, with a simple GUI and TNO encryption).

    With "plain" pfsense installation it works great: no problem for uploading or downloading from my S3 buckets.

    Problems arise when I use pfsense as OpenVPN client to a VPN provider like StrongVPN or AirVPN: with very "relaxed" firewall rules I get a bunch of "blocked" by default deny rule for IPv4, no matter what's allowed to all the interfaces  :(


Log in to reply