Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Blocking with a rule that I can't find

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 3 Posters 6.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brainstomp
      last edited by

      Solution:

      Bought a couple of support incidents. (Incidentally the best $400 I have ever spent on firewall support. I wish Cisco/Juniper/CheckPoint/WatchGuard/etc. had this kind of support).

      Opened a ticket.
      Gave the tech this entry on the forums.
      Tech said to go to System>Advanced>Firewall & NAT
      Check the box for "Bypass firewall rules for traffic on the same interface"
      This immediately solved the problem.

      Thanks to KOM & Derelict for their replies!

      BrainStomp

      –-------------------------------------------

      Hi gang,

      I have a strange problem (to me).

      I setup a pfsense to take care of firewalling and routing on my network and I have some traffic that is being blocked by a rule that does not exist on the firewall rules anywhere.

      Traffic from 10.5.10.10 headed to anything

      This is all on the same interface (em5) and I have a route to the 10.1.x.x/16 subnet already declared.
      I made a rule that allows all from 10.5.x.x/16 to go to 10.1.x.x/16 at the top of the rules for em5, this did not solve the problem.

      the firewall logs the following constantly:

      Oct  6 16:38:40 pfSense1 filterlog: 5,16777216,,1000000103,em5,match,block,in,4,0x0,,128,22348,0,DF,6,tcp,52,10.5.10.10,10.1.13.81,80,53013,0,SA,1913811785,1972202718,8192,,mss;nop;wscale;nop;nop;sackOK

      I have run:

      pfctl -sr

      looking for the rule and found only the rule that I created allowing 10.5.x.x/16 full access to everything  but nothing else blocking it

      block drop in log on ! em5 inet from 10.5.0.0/16 to any

      The details on the firewall:

      Version:

      2.2.4-RELEASE (amd64)
      built on Sat Jul 25 19:57:37 CDT 2015
      FreeBSD 10.1-RELEASE-p15

      Interface:

      LAND1LAN1 interface (opt4, em5)
      Status up
      MAC address 00:50:56:98:46:6a
      IPv4 address 10.5.0.1
      Subnet mask IPv4 255.255.0.0
      IPv6 Link Local fe80::250:56ff:fe98:466a
      MTU 1500
      Media 1000baseT <full-duplex>In/out packets 149046997/359988345 (74.89 GB/440.94 GB)
      In/out packets (pass) 149046997/359988345 (74.89 GB/440.94 GB)
      In/out packets (block) 1686130/152865 (132.05 MB/9.93 MB)
      In/out errors 0/0
      Collisions 0

      Routes:

      IPv4
      Destination Gateway Flags Use Mtu Netif Expire
      0.0.0.0/8 link#4 U 0 1500 em3
      default 96.91.183.254 UGS 8758919 1500 em0
      10.1.2.0/24 10.5.100.10 UGS 196406 1500 em5
      10.1.3.0/24 10.5.100.10 UGS 1442421 1500 em5
      10.1.4.0/24 10.5.100.10 UGS 174171 1500 em5
      10.1.5.0/24 link#8 U 10711953 1500 em7
      10.1.5.254 link#8 UHS 0 16384 lo0
      10.1.6.0/24 10.5.100.10 UGS 173100 1500 em5
      10.1.7.0/24 10.5.100.10 UGS 283354 1500 em5
      10.1.8.0/24 10.5.100.10 UGS 103694 1500 em5
      10.1.9.0/24 10.5.100.10 UGS 177588 1500 em5
      10.1.10.0/24 link#7 U 8473159 1500 em6
      10.1.10.254 link#7 UHS 0 16384 lo0
      10.1.11.0/24 10.5.100.10 UGS 326391 1500 em5
      10.1.12.0/24 10.5.100.10 UGS 944054 1500 em5
      10.1.13.0/24 10.5.100.10 UGS 71508 1500 em5
      10.1.16.0/24 10.5.100.10 UGS 152044 1500 em5
      10.1.18.0/24 10.5.100.10 UGS 908908 1500 em5
      10.1.19.0/24 10.5.100.10 UGS 5836683 1500 em5
      10.1.20.0/24 10.5.100.10 UGS 706381 1500 em5</full-duplex>

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Oct  6 16:38:40 pfSense1 filterlog: 5,16777216,,1000000103,em5,match,block,in,4,0x0,,128,22348,0,DF,6,tcp,52,10.5.10.10,10.1.13.81,80,53013,0,SA,1913811785,1972202718,8192,,mss;nop;wscale;nop;nop;sackOK

        Nobody has a clue what that means.  Post a screenshot of the log entry.

        By default, pfSense allows all from LAN, but blocks all from any other interface until you add an allow rule for that interface.  The blocking rule is called the Default Deny rule, and it is indeed hidden.  Imagine it being at the very bottom of your interface rules.  WHen you look at your firewall logs and see blocks, click on the red/white X and it will tell you the rule that blocked it.

        1 Reply Last reply Reply Quote 0
        • B
          brainstomp
          last edited by

          Indeed it appears to be the default deny rule but why won't it take the rule I put explicitly allowing this to take place ahead of the default deny rule?

          2015-10-06-pfsense-01.PNG
          2015-10-06-pfsense-01.PNG_thumb

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              What's not working?

              I have to say I'm a little confused by the route for 0.0.0.0/8

              Not that it has anything to do with anything - your logs are simply out-of-state traffic.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • B
                brainstomp
                last edited by

                @KOM:

                https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

                Yea, saw that already. Yes I did RTFM. That is why I am asking here, because I can't find a way to solve this.

                Derelict:

                What isn't working is that the servers in 10.5.10.x are not able to talk with their clients at 10.1.x.x. That traffic is all being blocked by the default Deny rule.

                1 Reply Last reply Reply Quote 0
                • B
                  brainstomp
                  last edited by

                  Also I have tried putting the rule to allow the traffic in the floating rules with no luck.

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    because I can't find a way to solve this

                    You're better off ignoring it, or create your on blocking rule above the default and set it to not log, but then you won't be logging anything.  You can also uncheck the Log packets matched from the default block rules put in the ruleset option in Status -  System logs -  Settings - General Logging Options - Log Firewall Default Blocks.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      You are not posting any logs showing traffic being blocked.  If TCP traffic was being blocked it would be a blocked SYN (S) packet in the logs.

                      You have to put the rules in place for the devices that are MAKING the connections.  If you have a web server on 10.5.10.100 and a client on 10.1.1.101 you need a rule on the 10.1.1.X/X interface that passes traffic from 10.1.1.101 to 10.5.10.100.  You need absolutely no rules on the 10.5.10.X/X interface for that web traffic to occur.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.