Internal gateway packets being dropped
-
Internal LAN network is 10.1.1.0/24. I have a router at 10.1.1.230 and two routes in the firewall for 10.52.0.0/16 and 10.152.0.0/16 which point back to 10.1.1.230.
I have a rule to allow anything from the LAN network (10.1.1.0/24) to have no restrictions to any destination for testing. However, packets keep getting dropped to 10.52 & 10.152 like below. Even if I add the 'easy rule' packets are still being dropped. Am I missing something?
block Dec 2 16:52:22 LAN 10.1.1.49:50544 10.52.9.11:1494 TCP:PA
-
I read that this happens when the connection closes before the packets can get through. Not harmful in any way.
-
I read that this happens when the connection closes before the packets can get through. Not harmful in any way.
The thing is, this happens right when the connection is being dropped. I'm not closing out or anything. What this is is a citrix reciever that drops connection every minute or so and comes back up. I see these alerts that the same time that the connection drops.
So are you saying that it's unrelated? Citrix works just fine when I bypass the firewall, so that's why I thought this might be the issue.
-
So, figured this out… had to set the bypass setiting.
"Bypass firewall rules for traffic on the same interface"
-
Interesting to know. It's also good practice not to have more than one subnet per broadcast domain.
-
This seems like a convoluted configuration. So your hairpinning your routes to get to 10.1.1.230, and you run into an asymmetric route on return traffic.
So you have a client say on 10.1.1.49, with pfsense being say 10.1.1.1, he wants to go to 10.52.9.11. So he sends his traffic to pfsense lan (his gateway) to 10.1.1.1, pfsense then sends the traffic back out the same interface to 10.1.1.230.
A better setup if you want to route/firewall this traffic through pfsense would be to put this router that has connection to these 10.52 and 10.152 networks on its own transit network either on different interface on pfsense or vlan.
So for example the network to get to the router could be say 10.1.2.0/30 where pfsense interface would be 10.1.2.1 and router 10.1.2.2
You state you have rule on lan for lan source 10.1.1.0/24, but traffic that would come from 10.52 or 152/16 would not be allowed by such a rule if devices in those networks created traffic to 10.1.1, unless you were natting at the 10.1.1.230 router.
Here is where you run into issues as well if your setup.. The traffic coming back from a box in the 10.52, the 1.230 router would just put it out its interface on the 10.1.1, why would it send that traffic back to pfsense? It has in interface in that network - no reason to talk to pfsense to get there.
Your other option is to create route on your client 10.1.1.49 that says hey if you want to talk to 10.52 or 10.152 go to 10.1.1.230 directly. But now you can not firewall, nor in your current setup can you firewall at pfsense any traffic coming from 10.52/152 to 10.1.1
here quick drawing - see attached.
pfsense vlan 10, 10.1.1.1/24, vlan 20 10.1.2.1/30
So now if 10.1.1.49 wants to talk to 10.52/152/16 he sends traffic to 10.1.1.1, pfsense then says oh to get to those networks need to talk to 10.1.2.2 the red arrows. When traffic returns or is created from 10.52/152 follows the green arrows. Router at 2.2 says hey to get to 10.1.1/24 I send to 10.1.2.1.
This allows you to create firewall rules in both directions and you have symmetrical routes
edit: If you don't want to hairpin/route on a stick then you just use a different physical interface to connect to the router - see attached pic 2.
