Traffic blocked between subnets (Rule allowed)



  • Hello Pfsense Guru's,

    i added an new gateway 192.168.100.7 (Dell Layer-3 Switch)

    i added an route for my new subnet 192.168.99.0/24  to route over these gateway.

    if i ping from 192.168.100.0/24 <–> 192.168.99.0/24 everything works. Many services works eg. SMB-Shares. But i can't connect to port 443 or 80 from 192.168.99.0 to 192.168.100.0

    firewall log the entry:

    blocked
    source  192.168.100.30:445
    Destination 192.168.99.54:57944 TCP:SA

    There is already "Default allow LAN to any rule " activ and i added the easyrule. But the traffic is already blocked.

    I don't understand this behavior.


  • Rebel Alliance Global Moderator

    that is not 443, that is 445 and that is SA on that packet so its out of state so yes it would be blocked.

    So you have a hairpin setup???  See below

    client on 192.168.100.0/24 talks to pfsense on 192.168.100.?, then pfsense sends it to 192.168.100.7 the switch. – black arrows

    There is no point in firewall rules on pfsense for this - since I could just point to 192.168.100.7 on the host to get to 192.168.99.0/24 -- the red arrows.. And your going to have problems with return traffic in this sort of setup.. You have asynchronous routing problem waiting to happen ;)

    But your example block does match what your saying is happening, clearly its more than just 443 and 80 since that is 445 (Microsoft-DS Active Directory, Windows shares) and its out of state with the SA

    TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR

    Since your showing SA (syn,ack) on the flags, I would assume its an answer from 100.30 back to 99.54 trying to start a conversation to 100.30 but its out of state to pfsense since pfsense did not see the syn, because when your 99.54 box started the conversation it did not go through pfsense - see 2nd diagram..






  • Hi john, thankx for your great and very detailed answer. I will make new deployment plans :)


  • Rebel Alliance Global Moderator

    If you have networks below pfsense - normally you would use a transient network to connect the other router to pfsense together so there is no client traffic on that transient