NetFlix/AmazonAWS blocked by "Default deny rule"
-
First off, I love pfSense. Switched from FreeSCO to pfSense back in 2006.
For what ever reason, NetFlix/AmazonAWS are tripping over the "Default deny rule". I am seeing lots of entries like this in the firewall log:
block Jun 26 03:08:15 LAN 10.0.0.181:54512 54.244.243.130:443 TCP:RA block Jun 26 03:08:06 LAN 10.0.0.181:54512 54.244.243.130:443 TCP:FPA block Jun 26 02:13:46 LAN 10.0.0.46:55723 54.245.249.205:443 TCP:R block Jun 26 02:13:46 LAN 10.0.0.46:55723 54.245.249.205:443 TCP:PA block Jun 26 01:51:06 LAN 10.0.0.46:55701 50.112.111.223:443 TCP:R block Jun 26 01:51:06 LAN 10.0.0.46:55701 50.112.111.223:443 TCP:PA
And here is the reason message:
@stuff:The rule that triggered this action is:
@1 scrub on re0 all random-id fragment reassemble
@1 block drop in log all label "Default deny rule"10.0.0.181 = iPad w/ NetFlix app
10.0.0.46 = Win7 w/BrowserI created an alias for the NetFlix/AmazonAWS subnets, but it only seems to make a (slight) difference if I enable logging on the rule. Even then, NetFlix still doesn't load right or consistantly:
pass Jun 26 02:52:27 LAN 10.0.0.46:54167 54.245.88.62:443 TCP:S pass Jun 26 02:52:24 LAN 10.0.0.46:54166 54.214.36.192:443 TCP:S
NetFlix/AmazonAWS subnets:
50.112.0.0/16
54.208.0.0/13
54.216.0.0/14
54.220.0.0/15
54.240.0.0/12
108.175.32.0/20Allowing all outbound LAN traffic to 80/443 made no difference.
-
Perhaps this applies to your case:
http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F
-
I have similar problems here with Amazon S3 (uploading backups).
I use Duplicati backup (a very good Open Source backup program like Duplicity, with a simple GUI and TNO encryption).
With "plain" pfsense installation it works great: no problem for uploading or downloading from my S3 buckets.
Problems arise when I use pfsense as OpenVPN client to a VPN provider like StrongVPN or AirVPN: with very "relaxed" firewall rules I get a bunch of "blocked" by default deny rule for IPv4, no matter what's allowed to all the interfaces :(