Traffic blocked between subnets (Rule allowed)

  • Hello Pfsense Guru's,

    i added an new gateway (Dell Layer-3 Switch)

    i added an route for my new subnet  to route over these gateway.

    if i ping from <–> everything works. Many services works eg. SMB-Shares. But i can't connect to port 443 or 80 from to

    firewall log the entry:

    Destination TCP:SA

    There is already "Default allow LAN to any rule " activ and i added the easyrule. But the traffic is already blocked.

    I don't understand this behavior.

  • LAYER 8 Global Moderator

    that is not 443, that is 445 and that is SA on that packet so its out of state so yes it would be blocked.

    So you have a hairpin setup???  See below

    client on talks to pfsense on 192.168.100.?, then pfsense sends it to the switch. – black arrows

    There is no point in firewall rules on pfsense for this - since I could just point to on the host to get to -- the red arrows.. And your going to have problems with return traffic in this sort of setup.. You have asynchronous routing problem waiting to happen ;)

    But your example block does match what your saying is happening, clearly its more than just 443 and 80 since that is 445 (Microsoft-DS Active Directory, Windows shares) and its out of state with the SA

    TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR

    Since your showing SA (syn,ack) on the flags, I would assume its an answer from 100.30 back to 99.54 trying to start a conversation to 100.30 but its out of state to pfsense since pfsense did not see the syn, because when your 99.54 box started the conversation it did not go through pfsense - see 2nd diagram..

  • Hi john, thankx for your great and very detailed answer. I will make new deployment plans :)

  • LAYER 8 Global Moderator

    If you have networks below pfsense - normally you would use a transient network to connect the other router to pfsense together so there is no client traffic on that transient

Log in to reply