Packet filter is bloking ports even though I have a rule to allow anything

  • Hi,

    I just installed a new internal data link between 2 companies.

    I put a the route and create a firewall rule to allow traffic from one net to the other.
    All the communication is working fine but I´m having troubles with a mysql database.

    In the firewall system logs I see a blocking rule  that doesnt allow my server to communicate with any computer in the other local network.
    The blocking message says:
    The rule that triggered this action is:

    Act     Time   If Source Destination Proto
    block  Feb 12 19:32:13 LAN TCP:SA

    @5 block drop in log inet all label "Default deny rule IPv4"

    And the proto says TCP:SA or TCP:SR

    The rule I put to allow the traffic is:

    ID Proto Source Port Destination Port Gateway Queue Schedule

    IPv4 * LAN net * * *         none
    IPv4 * * LAN net * *         none

    Please, some help here. I cannot connect my databse with my users.
    The strange thing is that other services such as terminal server works fine.


  • On what interface are those rules set? Is your MySQL server? Why is the port 3306 showing as the source port then?

  • Maybe it is a reply to the initial SYN packet from a client starting a connection.
    Does the network topology make the client->server path go through pfSense?
    or does the "new internal data link between 2 companies" go through some other router/s?
    If the initial client connection SYN packet does not go through pfSense then it will not have a state to match the reply from the server.

  • My connection is designed like this:

                        |                                                                                                  |
                    pfSense-A (                                                            pfSense-B (
                        |                                                                                                  |
                  (      (        (        (                                                    |

    The client computer is in LAN-A and the Mysql server is in LAN-B
    As you can see the routers have a local address and my internet provider does the connection between the LAN´s A and B.

    In LAN-A and LAN-B the gateway for all computers is pfSense of each network.

    In both LAN´s I configure a route to reach the other LAN and its working fine with other apps. I created a new gateway in each LAN (192.168.X.2) that is the router.

    In both LAN´s I configure firewall rules to allow traffic from each side in and out. These rules are configured in the LAN interface.

    But when I tried to connect with my database I cannot establish connection and got all these block messages in the firewall system logs. is the Mysql server and I noticed that the source port is 3306 and I thought this is not right.

    Any comments or ideas please?

  • LAYER 8 Global Moderator

    Its source because its the answer to your Syn from your source port of 59581

    See the flags, TCP:SA

    What is the point of router A and router B in this network?  If your traffic is flowing over the internet?

    Where did you create these routes?
    In both LAN´s I configure a route to reach the other LAN and its working fine with other apps. I created a new gateway in each LAN (192.168.X.2) that is the router.

    I would guess you have an asynchronous routing issue..  And your pfsense blocked the SA traffic, because it didn't see the SYN from your client to the mysql server to create the state only the return traffic that took a different path.

    I would assume if traffic goes out your internet connection it gets natted?  That setup seems pointless to me without more detail.. Why not just have pfsense with both lan interfaces A and B?  Why router A and router B?

  • The problem you are seeing is because the initial packet from clientA to serverB is delivered from routerB directly to serverB. So pfSenseB never saw it. But serverB has pfSenseB as its default gateway, thus its response is sent to pfSenseB. pfSenseB does not have any state established to match, and so it drops it.
    You can:
    a) Add a route on serverB telling it LAN A is reached through routerB; or
    b) On pfSenseB, System: Advanced: Firewall and NAT, enable "Bypass firewall rules for traffic on the same interface" - that should just make it pass those "unbalanced" packets.

    When the packet does get back to LAN A, routerA will deliver it directly to clientA. So pfSenseA will miss out on seeing it. The state that was started there will soon timeout and you will have a similar problem, which needs to be fixed by some corresponding version of (a) or (b).

    Personally, I would try to put other routes in/out of your network on other interfaces of pfSense A and B. Then the LAN clients/servers just have 1 gateway out of their network - pfSense. Then pfSense sees all traffic and can maintain states properly and filter as you need. Assuming you actually need routerA and routerB to do some special thing between the companies, connect routerA to pfSenseA OPT1, connect routerB to pfSenseB OPT1 and let all the routing happen through pfSense. Or even easier, if possible, get rid of routerA and routerB and just use the rouerA-routerB link hardware, but between pfSenseA and pfSenseB.

Log in to reply