Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    LAN Traffic Being Blocked

    Firewalling
    3
    5
    633
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tmatthews14 last edited by

      Pretty simple setup for me.  A LAN port and a WAN port on my pfsense box.  I've got a LAN Firewall Rule set as:

      IPv4 *	LAN net	*	*	*	*	none	 	Default allow LAN to any rule ipv4
      IPv6 *	LAN net	*	*	*	*	none	 	Default allow LAN to any rule ipv6 
      

      However, my firewall logs are flooded with a LAN address trying to access Google and being blocked:

      block Oct 31 10:48:34	LAN	192.168.1.196	74.125.69.95:443	TCP:PA
      

      With a default allow any rule I shouldn't have anything outbound blocked, right?  Any help?

      1 Reply Last reply Reply Quote 0
      • KOM
        KOM last edited by

        Probably a stateful firewall artifact.  When you initiate a connection, pfSense automatically allows the return potion of the conversation.  When your end thinks the conversation is over, it will reject any replies from the destination end and log them.  That's most likely what you're seeing, although I usually see these with FIN,ACK (TCP:FA) packets.

        1 Reply Last reply Reply Quote 0
        • T
          tmatthews14 last edited by

          @KOM:

          Probably a stateful firewall artifact.  When you initiate a connection, pfSense automatically allows the return potion of the conversation.  When your end thinks the conversation is over, it will reject any replies from the destination end and log them.  That's most likely what you're seeing, although I usually see these with FIN,ACK (TCP:FA) packets.

          Interesting.  But if that were the case wouldn't the source and dest addresses be flipped?  The source address is a LAN address.

          1 Reply Last reply Reply Quote 0
          • KOM
            KOM last edited by

            Sorry, I missed that.  By default, there is already a Default allow LAN to any rule that allows full access from LAN to anywhere.  There is a hidden block rule just below the Allow LAN rule that catches anything not explicitly allowed by rules above it.  It usually doesn't get used much because the Allow rule allows everything.  Why did you change the default Allow LAN to Any rule?  If you change it back to what it was, does your issue resolve itself?

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by

              That traffic will still be out-of-state because it's not a SYN packet - even with a pass any any any on LAN.

              It looks like for some reason that host tried to send traffic to a state that had been closed.  I wouldn't sweat it unless there's actually a perceptible problem.

              Chattanooga, Tennessee, USA
              The pfSense Book is free of charge!
              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post