Traffic being blocked regardless of rule



  • A client on the network regularly tries to access other machines inside the VPN and others outside of the network. pfSense is under the 192.168.20.0/24 subnet. The default "allow all from LAN net" rule which is above all other rules should allow any traffic from the LAN to any address. However, it doesn't seem to be working for the specific client mentioned earlier. Attached are some firewall logs and rules.

    I'm using pfSense 2.1.4-RELEASE.









  • I'm seeing the same behavior on the lan interface. (i'm running the latest v2.1.5-RELEASE)

    There is an auto-rule for lan traffic to permitted anywhere, but then I see entries in the firewall log where my android phone is blocked trying to talk google on 443.

    Anyone know why?






  • With stateful firewalls, you are always going to see the odd blocked packet even though your rules should allow it.  This is due to one side sending something when the other side thinks the conversation is over.  For example, if I send you a request to terminate and that packet gets dropped or lost, my side thinks the session is closed but your side thinks it's still open.  Your side sends another request for response.  My side thinks the session is over and considers your packet to be part of a new session and drops that packet because a new session can only start if I initiate it - not you.  That's a simplified version of what happens and that's what you see in the log.

    The question is, is there an issue with the client accessing the requested service?



  • client seems to access what it needs for the most part… there is occasional periods of non-responsiveness and clicking reload on pages, but it is wifi so i guess that's expected.

    Was just hoping for cleaner fw logs.



  • You shouldn't get a lot of those out-of-state packets.  I get some when remote users are accessing our Exchange server via OWA.


  • LAYER 8 Global Moderator

    You can turn off logging of default rule if you want clean logs ;)

    As KOM went over in any stateful firewall if you are out of state the traffic will be blocked - in your screenshot your not showing the state.. Scroll over and it wills how stuff like this - see attached.

    I see this all the time from his phone - not sure if it disconnects from the wifi and then reconnects, have not looked into details of it - because this common.  If packets hit the firewall that are out of state they will be blocked!

    I don't see this as noise, I see this is firewall logging what its suppose to be logging - blocked traffic.  If the "noise" is too much for you - maybe track down what is happening on the device generating the traffic to clear up this out of state traffic there.

    Now sure what device was doing or attempting to do - but it has something to do with google network.

    CIDR:          64.233.160.0/19
    NetName:        GOOGLE




  • @KOM:

    With stateful firewalls, you are always going to see the odd blocked packet even though your rules should allow it.  This is due to one side sending something when the other side thinks the conversation is over.  For example, if I send you a request to terminate and that packet gets dropped or lost, my side thinks the session is closed but your side thinks it's still open.  Your side sends another request for response.  My side thinks the session is over and considers your packet to be part of a new session and drops that packet because a new session can only start if I initiate it - not you.  That's a simplified version of what happens and that's what you see in the log.

    The question is, is there an issue with the client accessing the requested service?

    This seems likely considering the client is working fine otherwise. Thanks.


Log in to reply