[SOLVED] Blocking with a rule that I can't find



  • Solution:

    Bought a couple of support incidents. (Incidentally the best $400 I have ever spent on firewall support. I wish Cisco/Juniper/CheckPoint/WatchGuard/etc. had this kind of support).

    Opened a ticket.
    Gave the tech this entry on the forums.
    Tech said to go to System>Advanced>Firewall & NAT
    Check the box for "Bypass firewall rules for traffic on the same interface"
    This immediately solved the problem.

    Thanks to KOM & Derelict for their replies!

    BrainStomp

    –-------------------------------------------

    Hi gang,

    I have a strange problem (to me).

    I setup a pfsense to take care of firewalling and routing on my network and I have some traffic that is being blocked by a rule that does not exist on the firewall rules anywhere.

    Traffic from 10.5.10.10 headed to anything

    This is all on the same interface (em5) and I have a route to the 10.1.x.x/16 subnet already declared.
    I made a rule that allows all from 10.5.x.x/16 to go to 10.1.x.x/16 at the top of the rules for em5, this did not solve the problem.

    the firewall logs the following constantly:

    Oct  6 16:38:40 pfSense1 filterlog: 5,16777216,,1000000103,em5,match,block,in,4,0x0,,128,22348,0,DF,6,tcp,52,10.5.10.10,10.1.13.81,80,53013,0,SA,1913811785,1972202718,8192,,mss;nop;wscale;nop;nop;sackOK

    I have run:

    pfctl -sr

    looking for the rule and found only the rule that I created allowing 10.5.x.x/16 full access to everything  but nothing else blocking it

    block drop in log on ! em5 inet from 10.5.0.0/16 to any

    The details on the firewall:

    Version:

    2.2.4-RELEASE (amd64)
    built on Sat Jul 25 19:57:37 CDT 2015
    FreeBSD 10.1-RELEASE-p15

    Interface:

    LAND1LAN1 interface (opt4, em5)
    Status up
    MAC address 00:50:56:98:46:6a
    IPv4 address 10.5.0.1
    Subnet mask IPv4 255.255.0.0
    IPv6 Link Local fe80::250:56ff:fe98:466a
    MTU 1500
    Media 1000baseT <full-duplex>In/out packets 149046997/359988345 (74.89 GB/440.94 GB)
    In/out packets (pass) 149046997/359988345 (74.89 GB/440.94 GB)
    In/out packets (block) 1686130/152865 (132.05 MB/9.93 MB)
    In/out errors 0/0
    Collisions 0

    Routes:

    IPv4
    Destination Gateway Flags Use Mtu Netif Expire
    0.0.0.0/8 link#4 U 0 1500 em3
    default 96.91.183.254 UGS 8758919 1500 em0
    10.1.2.0/24 10.5.100.10 UGS 196406 1500 em5
    10.1.3.0/24 10.5.100.10 UGS 1442421 1500 em5
    10.1.4.0/24 10.5.100.10 UGS 174171 1500 em5
    10.1.5.0/24 link#8 U 10711953 1500 em7
    10.1.5.254 link#8 UHS 0 16384 lo0
    10.1.6.0/24 10.5.100.10 UGS 173100 1500 em5
    10.1.7.0/24 10.5.100.10 UGS 283354 1500 em5
    10.1.8.0/24 10.5.100.10 UGS 103694 1500 em5
    10.1.9.0/24 10.5.100.10 UGS 177588 1500 em5
    10.1.10.0/24 link#7 U 8473159 1500 em6
    10.1.10.254 link#7 UHS 0 16384 lo0
    10.1.11.0/24 10.5.100.10 UGS 326391 1500 em5
    10.1.12.0/24 10.5.100.10 UGS 944054 1500 em5
    10.1.13.0/24 10.5.100.10 UGS 71508 1500 em5
    10.1.16.0/24 10.5.100.10 UGS 152044 1500 em5
    10.1.18.0/24 10.5.100.10 UGS 908908 1500 em5
    10.1.19.0/24 10.5.100.10 UGS 5836683 1500 em5
    10.1.20.0/24 10.5.100.10 UGS 706381 1500 em5</full-duplex>



  • Oct  6 16:38:40 pfSense1 filterlog: 5,16777216,,1000000103,em5,match,block,in,4,0x0,,128,22348,0,DF,6,tcp,52,10.5.10.10,10.1.13.81,80,53013,0,SA,1913811785,1972202718,8192,,mss;nop;wscale;nop;nop;sackOK

    Nobody has a clue what that means.  Post a screenshot of the log entry.

    By default, pfSense allows all from LAN, but blocks all from any other interface until you add an allow rule for that interface.  The blocking rule is called the Default Deny rule, and it is indeed hidden.  Imagine it being at the very bottom of your interface rules.  WHen you look at your firewall logs and see blocks, click on the red/white X and it will tell you the rule that blocked it.



  • Indeed it appears to be the default deny rule but why won't it take the rule I put explicitly allowing this to take place ahead of the default deny rule?





  • LAYER 8 Netgate

    What's not working?

    I have to say I'm a little confused by the route for 0.0.0.0/8

    Not that it has anything to do with anything - your logs are simply out-of-state traffic.



  • @KOM:

    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection

    Yea, saw that already. Yes I did RTFM. That is why I am asking here, because I can't find a way to solve this.

    Derelict:

    What isn't working is that the servers in 10.5.10.x are not able to talk with their clients at 10.1.x.x. That traffic is all being blocked by the default Deny rule.



  • Also I have tried putting the rule to allow the traffic in the floating rules with no luck.



  • because I can't find a way to solve this

    You're better off ignoring it, or create your on blocking rule above the default and set it to not log, but then you won't be logging anything.  You can also uncheck the Log packets matched from the default block rules put in the ruleset option in Status -  System logs -  Settings - General Logging Options - Log Firewall Default Blocks.


  • LAYER 8 Netgate

    You are not posting any logs showing traffic being blocked.  If TCP traffic was being blocked it would be a blocked SYN (S) packet in the logs.

    You have to put the rules in place for the devices that are MAKING the connections.  If you have a web server on 10.5.10.100 and a client on 10.1.1.101 you need a rule on the 10.1.1.X/X interface that passes traffic from 10.1.1.101 to 10.5.10.100.  You need absolutely no rules on the 10.5.10.X/X interface for that web traffic to occur.


Log in to reply