LAN Traffic Being Blocked



  • Pretty simple setup for me.  A LAN port and a WAN port on my pfsense box.  I've got a LAN Firewall Rule set as:

    IPv4 *	LAN net	*	*	*	*	none	 	Default allow LAN to any rule ipv4
    IPv6 *	LAN net	*	*	*	*	none	 	Default allow LAN to any rule ipv6 
    

    However, my firewall logs are flooded with a LAN address trying to access Google and being blocked:

    block Oct 31 10:48:34	LAN	192.168.1.196	74.125.69.95:443	TCP:PA
    

    With a default allow any rule I shouldn't have anything outbound blocked, right?  Any help?



  • Probably a stateful firewall artifact.  When you initiate a connection, pfSense automatically allows the return potion of the conversation.  When your end thinks the conversation is over, it will reject any replies from the destination end and log them.  That's most likely what you're seeing, although I usually see these with FIN,ACK (TCP:FA) packets.



  • @KOM:

    Probably a stateful firewall artifact.  When you initiate a connection, pfSense automatically allows the return potion of the conversation.  When your end thinks the conversation is over, it will reject any replies from the destination end and log them.  That's most likely what you're seeing, although I usually see these with FIN,ACK (TCP:FA) packets.

    Interesting.  But if that were the case wouldn't the source and dest addresses be flipped?  The source address is a LAN address.



  • Sorry, I missed that.  By default, there is already a Default allow LAN to any rule that allows full access from LAN to anywhere.  There is a hidden block rule just below the Allow LAN rule that catches anything not explicitly allowed by rules above it.  It usually doesn't get used much because the Allow rule allows everything.  Why did you change the default Allow LAN to Any rule?  If you change it back to what it was, does your issue resolve itself?


  • Netgate

    That traffic will still be out-of-state because it's not a SYN packet - even with a pass any any any on LAN.

    It looks like for some reason that host tried to send traffic to a state that had been closed.  I wouldn't sweat it unless there's actually a perceptible problem.