Firewall "any protocol" setting now blocks OVPN/LAN - worked previously
-
I'm puzzled - haven't changed anything but since today ovpn clients got blocked by the FW when trying to access a server on the LAN. This had been working fine for months. Got the below errors in the FW log.
It worked using easyrule but I didn't want to do that - through experiments I have found that I needed to add a "TCP" protocol rule to LAN, because the "any" protocol rule blocked me. See 2nd and 3rd rule in picture.
Any ideas?
-
Not sure what you're doing. Rules on LAN have nothing to do with connections to hosts on LAN.
Looks like those log entries are just out-of-state traffic. Perfectly normal.
-
I almost wish that pfSense would account for these just-barely-out-of-state ACKs that reply after the connection is closed and not log them. It would cut down on this same question that confuses a lot of people.
-
Kind of wish logging of default was off by default ;) Since any sort of log seems confuse users, be it out of state or not ;) They see a few udp packets on strange ports and think they are under attack ;)
But sure not logging out of state blocks and only logging block of syn might be less confusing for many users.
-
Hm - thanks! I was tired I guess. Had reset the states table also but then added the FW rule (simply modified an EasyRule to 0/24) and saw an effect (worked again) that actually may have come from resetting the states table and just took a minute to materialize…
Anyway, I was concerned because the ovpn clients got no traffic for an hour or so - and we tested that with three different clients and users. No errors in the ovpn-log but no traffic between the ovpn routed network (192.168.10.0/24) and LAN (192.168.2.0/24) either. Was pretty weird because it had worked for months (much longer than the uptime of 60 days).
I'm not sure what made the traffic out-of-states in the first place. We re-connected the clients one by one but they still got no traffic.
I checked on the total number of states as well and that was below the default for my system (202000, it's a D525 with 2GB).
Anyway, works again - also without the additional TCP rule. Would just like to understand better so that I can prevent this in future. I have read on TCP:FA in the definitive guide and understand that part - but it has not enlightened me re the blocked traffic that happened.
I don't have configured any static routes (unless the "UGS" in Diagnostics/Routes "192.168.10.0/24 192.168.10.2 UGS 0 2664569 1500 ovpns2" counts as a static route because of the "S" flag - this was added by ovpn anyway).
Maybe the ovpn-server just had a hickup, even though its log looked normal.
