Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Allow all firewall rule - Still getting blocked

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 5 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      BluBoy
      last edited by

      Hi all,

      I am sure I am doing something wrong here, but I'm at a loss as to where else to look.

      I have ended up at the stage, where my LAN interface is wide open. I have the default anti-lockout rule, and an allow all.

      ID	Proto	Source	Port	Destination	Port		Gateway	Queue	Schedule	Description
	*	*	*	LAN Address	443,80,22	*	*	 		Anti-Lockout Rule
 	IPv4 *	LAN net	*	*		*		*	none	 		Default allow LAN to any rule

      However, I have two NAS' on the same network that can't communicate with each other. LAN Subnet = 10.0.0.0/24

      
                                                    ---------
 ------------              -----------        ---- | NAS .50 |
| PFSENSE .1 | ---------- | Switch .2 | ----<       ---------
 ------------              -----------        ---- | NAS .72 |
                                                    ---------

      I have attempted to use zfs send over SSH to replicate some data onto the second NAS, as well as a basic rsync copy. Both end up getting dropped by the firewall (see snippet below).

      
Act	Time		If	Source		Destination	Proto
block	May 2 12:15:58	LAN	10.0.0.50:11761	10.0.0.72:22	TCP:A
block	May 2 12:09:58	LAN	10.0.0.50:873	10.0.0.72:38751	TCP:SA

      I just cant explain it. There are no drop rules at all (as per above, plus floating rules are empty).
      To make it extra frustrating, I can SSH from any laptop on the LAN subnet to the NAS and it is fine.
      However, when I ssh from one NAS to the other it works for ~ 30 seconds, before the session is killed.

      Both NAS boxes are running FreeNAS-9.3-STABLE and had no issues previously.

      1 Reply Last reply Reply Quote 0
      • N Offline
        Nullity
        last edited by

        Did you reset the firewall states or perhaps try rebooting?

        Please correct any obvious misinformation in my posts.
        -Not a professional; an arrogant ignoramous.

        1 Reply Last reply Reply Quote 0
        • B Offline
          BluBoy
          last edited by

          Yes, have attempted both.

          1 Reply Last reply Reply Quote 0
          • D Offline
            doktornotor Banned
            last edited by

            Why the heck would two LAN machines plugged into the same switch communicate via the router in the first place? Sounds like you got something badly wrong outside of pfSense.

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              It's certainly not firewall rules.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • B Offline
                BluBoy
                last edited by

                I can't explain that either.  It's a 4 port WAP (with the two NAS' plugged in to the gigeth).
                (I am looking into this)

                Even if it shouldn't be going via the router, it is.
                I don't see why pfsense is dropping the packets.

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  Well it's not going to send packets received for the same subnet out the same interface.  That's basic IP networking. Fix your network. (Check your netmasks)

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "Even if it shouldn't be going via the router, it is."

                    You need to fix your mask.. Why would a box that is on network 10.0.0.0/24 send traffic to its gateway to go to same network??  And if it did.. Why would pfsense that has no state forward A and SA?

                    From that log I guess that 10.0.0.50 has the wrong mask.. 10.0.0.72 sent traffic to .50, and it said yeah that is not on my network - need to send that to my gateway pfsense..  Pfsense sees a SA or A without a state - what do you think it should do as a stateful firewall??

                    Now seems it must really be a messed up mask - maybe /32?  something /26 or above would put them on different networks.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.11.1 | Lab VMs 2.8.1, 25.11.1

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.