Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic blocked between subnets (Rule allowed)

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      Hello Pfsense Guru's,

      i added an new gateway 192.168.100.7 (Dell Layer-3 Switch)

      i added an route for my new subnet 192.168.99.0/24  to route over these gateway.

      if i ping from 192.168.100.0/24 <–> 192.168.99.0/24 everything works. Many services works eg. SMB-Shares. But i can't connect to port 443 or 80 from 192.168.99.0 to 192.168.100.0

      firewall log the entry:

      blocked
      source  192.168.100.30:445
      Destination 192.168.99.54:57944 TCP:SA

      There is already "Default allow LAN to any rule " activ and i added the easyrule. But the traffic is already blocked.

      I don't understand this behavior.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        that is not 443, that is 445 and that is SA on that packet so its out of state so yes it would be blocked.

        So you have a hairpin setup???  See below

        client on 192.168.100.0/24 talks to pfsense on 192.168.100.?, then pfsense sends it to 192.168.100.7 the switch. – black arrows

        There is no point in firewall rules on pfsense for this - since I could just point to 192.168.100.7 on the host to get to 192.168.99.0/24 -- the red arrows.. And your going to have problems with return traffic in this sort of setup.. You have asynchronous routing problem waiting to happen ;)

        But your example block does match what your saying is happening, clearly its more than just 443 and 80 since that is 445 (Microsoft-DS Active Directory, Windows shares) and its out of state with the SA

        TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR

        Since your showing SA (syn,ack) on the flags, I would assume its an answer from 100.30 back to 99.54 trying to start a conversation to 100.30 but its out of state to pfsense since pfsense did not see the syn, because when your 99.54 box started the conversation it did not go through pfsense - see 2nd diagram..

        hairpin.png
        hairpin.png_thumb
        synackproblem.png
        synackproblem.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          Hi john, thankx for your great and very detailed answer. I will make new deployment plans :)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            If you have networks below pfsense - normally you would use a transient network to connect the other router to pfsense together so there is no client traffic on that transient

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.