TCP firewall block



  • Hi,
    I'm new in pfsense world, i'm italian. Sorry for my english.
    I tell you my problem:
    -the firewall block every tcp connection from wan.
    -the firewall block every connection from lan to internet without the traffic run through to the gateway.

    My network topology:
    internet <–-2.230...(ip static)---> router (ip: 192.168.1.254/24) <-----> PFSense firewall (wan ip:192.168.1.65/24)<-----> lan net ip:192.168.2.0/24

    Often my internet connection seems slowly because firewall block every tcp connection.
    Please can you help me.

    ![Senza titolo.png](/public/imported_attachments/1/Senza titolo.png)
    ![Senza titolo.png_thumb](/public/imported_attachments/1/Senza titolo.png_thumb)
    ![Schermata 2014-12-03 alle 01.46.30.png](/public/imported_attachments/1/Schermata 2014-12-03 alle 01.46.30.png)
    ![Schermata 2014-12-03 alle 01.46.30.png_thumb](/public/imported_attachments/1/Schermata 2014-12-03 alle 01.46.30.png_thumb)
    ![Schermata 2014-12-03 alle 01.46.42.png](/public/imported_attachments/1/Schermata 2014-12-03 alle 01.46.42.png)
    ![Schermata 2014-12-03 alle 01.46.42.png_thumb](/public/imported_attachments/1/Schermata 2014-12-03 alle 01.46.42.png_thumb)
    ![Schermata 2014-12-03 alle 01.47.00.png](/public/imported_attachments/1/Schermata 2014-12-03 alle 01.47.00.png)
    ![Schermata 2014-12-03 alle 01.47.00.png_thumb](/public/imported_attachments/1/Schermata 2014-12-03 alle 01.47.00.png_thumb)



  • It's blocking FIN packets, which are to close the connection. This seems to happen a lot; the connection will get closed, and the other side will attempt to send more FIN packets after the fact.

    Unless you're having issues with connections, this is probably just harmless out-of-state packets getting dropped.


  • Rebel Alliance Global Moderator

    yes out of state would be blocked..

    Is that first picture your wan rules?  Sure looks like it from the fact one of the dest is wan address? and then 2nd pic is clearly your lan.

    Those rules make no sense..  Why would you allow 1024-65k to your WAN address?  And how would your lan segments ever be a source as inbound traffic on the wan?  As to that block to 80.. That would blocked and logged by default rule.