Traffic blocked by default rules

  • Hi,
    I'm having some problems the default rules. In my scenario, I have a external router connected to a firewall (pfsense) that it's also connected to another firewall (fw2). I want to acces https of the fw2 from the outside. I configured the external router with nat from the 443 to go to the pfsense 6443 and in the pfsense, I nat the 6443 traffic to the fw2 443:

    external-ip:443 -> pfsense:6443
    pfsense:6443 -> fw2:443

    Nat rule in the pfsense:

    And the associated nat rule in the wan interface:

    I even add a floating rule allow in the WAN interface to allow traffic in both directions and "Apply the action immediately on match.":

    But my nat traffic from the pfsense to fw2 is getting blocked on the WAN interface and the rule that it's blocking is @3 block drop in log inet all label "Default deny rule IPv4":

    I did some research and activated the following options already: system -> Advanced -> Firewall/Nat
    Firewall Optimization Options: conservative
    Static route filtering: Enabled: Bypass firewall rules for traffic on the same interface

    There's something that I'm missing?


  • Banned

    The pics are broken.

  • Edited.

  • Banned

    Tired of trying to imagine the setup. Produce network diagrams in future, describing fails.

    Do you mean you have asymmetric routing? Either get rid of it or allow sloppy states.

  • Network Diagram:

    What I'm trying to do is to access the https of the fw2 by the external ip of the external router.

    https://externalip should show me https://fw2

    I see the traffic coming to the pfsense, but it's getting blocked after the nat in the pfsense, when is trying to go from the pfsense to the fw2

  • LAYER 8 Global Moderator

    those are not syn packets those are Ack packets - so those are out of state and would block yes if there is no state.

    Your drawing does not point to asymmetrical.

    But your blocks are out of state traffic.

    You don't need a floating rule.. You need a simple port forward..  I do the same thing to allow my vps machines to talk to the landscape server on my lan

    why are you seeing out of state is the question..  Is your network different than your drawing?

    What does fw2 resolve too.. Why are you hiding it.. I would assume that is a rfc1918 address from your drawing I would assume pfsense is natting?  Especially since you have a port forward setup, if its not natting then you wouldn't use a port forward rule.

    So you say you nat at external router, then nat again at pfsense - so you have a triple nat? external, pfsense and then fw2 also nats?

  • Looks to me like you may have an existing firewall rule above the port-forward rule you've shown here. Remember that firewall rules are applied from the top down. If you post a screen-grab of your complete firewall rules, it may reveal that you have a 'block all' rule placed somewhere above the forward rule. As johnpoz says, remove the floating rule - that's not needed.

  • In the external router, I'm natting to the pfsense and in the pfsense I'm natting to the fw2. No natting in the fw2.

    There's no blocking rule in the list, just the default that it's hard coded in the pfsense.

  • LAYER 8 Global Moderator

    so you have a double nat to your fw2.. while it can work - it can be problematic.

    Again pfsense is not blocking the SYN, its blocking out of state packets TCP:A and TCP:PA which is exactly what a stateful firewall should do.. And yes that block would be the default rule because no states matched and you got to your default rule.

    You need to figure out why your seeing out of state.. Is pfsense states being reset?  For example if the monitoring detects you went down it can reset the states, etc.

    Is your first router changing the source port?  So traffic no longer matches state that was created in pfsense.  I would look to your pfsense states to your fw2:433 port.

  • Banned

    Executive summary: You have two more firewalls there than needed.

  • LAYER 8 Global Moderator

    ^ but 2 is always better than 1, so 3 should be better than 2 is quite often mistakenly seen as valid logic ;)  If natting provides some native protection then double natting must be even safer ;)

    IMHO more is not always better - sometimes its just complicates and creates more points of failure.

  • @jferreira03:

    In the external router, I'm natting to the pfsense and in the pfsense I'm natting to the fw2. No natting in the fw2.

    There's no blocking rule in the list, just the default that it's hard coded in the pfsense.

    Ok, so do you have any other rules in the list? As I mentioned a screen-grab of the entire WAN ruleslist would be helpful.

    Good point made about why you should want to have a 'double firewall' setup like this. Is fw2 supposed to be a choke firewall between the external and the DMZ? If so, you'd probably simplify your life - and your network requirements - significantly by defining your DMZ on the one pfSense firewall and dropping the second fw2 altogether.

Log in to reply