Outbound traffic blocked in spite of allow rule. Why?



  • Hello all.

    I have a network that is vlan'd out and have rules setup that I want. Everything is getting proper ip addresses via dhcp on each interface and I have not had any complaints from users (yet) with accessing the internet. I have attached 2 files. One showing rules for Guest vlan interface and the other showing a sample of the firewall log where traffic coming from hosts on guest –> WAN is being blocked. Not all traffic from Guest to WAN is being blocked even though it is the same type of source to destination. If it were a rule problem, it would never work. This same behavior is observed on other private interfaces on outbound traffic to WAN whether they are connecting via wireless or via a wire. I can't understand why given the rules. All the vlans are setup also on an Adtran 1238p managed L2 switch. Any ideas?

    Thanks.





  • That looks like one of the discussed issues that some devices seem to cause. In a nutshell, the TCP state gets closed or never existed, but the client still attempts to send data or reset packets. The current guess is cell phones switch between 3G/4G, over to wifi, and instead of creating a new connection, just start blasting away packets as if the network didn't change.

    Both my wife's Galaxy 4 and 5 do this A LOT. PFSense isn't "blocking" outgoing connections, it's enforcing proper TCP. That's the current guess.



  • Hmm… Ok... Just curious.. Can you provide the link to that topic thread?

    Much appreciated..


  • Rebel Alliance Global Moderator

    There are loads and loads of threads where this comes up - and its in the docs

    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection

    This is common for any stateful firewall.