Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense blocks TCP States from LAN to Internet

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danielh86
      last edited by

      Hi,

      I have problems with TCP states (TCP:S etc.) that get blocked when a LAN client connects to a server from internet. That changes from time to time, today I can´t access amazon.de homepage for example. My network looks like this:

      Internet –> Cable Modem --> PfSense FW --> simple home switch --> Wifi Repeater

      The problems occur when connected directly via cable to to switch or via wifi to the wifi receiver...

      I enabled "Bypass firewall rules for traffic on the same interface" under System-->Advanced and created asymmetric routing rules that allows:

      Interface: LAN
      Proto: TCP
      Source: LAN net
      Target: Any
      TCP flags: Any
      State type: sloppy state

      The same under Floating tab.

      Attached are some screenshots of my rules and firewall logs (blocking a LAN client connection to internet server)...

      Have anybody a clue whats wrong in my config?

      Thanks for help!

      Daniel

      floating_rules.png_thumb
      floating_rules.png
      lan_rules.png_thumb
      lan_rules.png
      fw_log.png
      fw_log.png_thumb

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        What you're trying to work around isn't relevant to your environment unless it's really messed up. Remove the floating rule, remove the second rule on LAN (it'll never match anything anyway), can uncheck "Bypass firewall rules for traffic on the same interface" or leave it there (it has no impact where you have no static routes, which you shouldn't from the sounds of it).

        Click on the X in the firewall logs, what's blocking it? I'm guessing maybe you have Snort with blocking enabled and have signatures enabled that are prone to false positives.

        1 Reply Last reply Reply Quote 0
        • D
          danielh86
          last edited by

          Hi cmb,

          thanks for reply!

          The rules on Floating an LAN tab was there, because I had problems with Virtualbox VMs on my Notebook (VM was NATed to internal real network).
          Only described it here to show a complete overview of my network and firewall settings…btw does that sloopy state rules impact firewall security?

          You were right, I use snort and indeed snort http ruleset blocked the traffic, I made some exceptions to the suppress list and I will monitor the future behaviour...
          Thanks for that hint!

          Regards
          Daniel

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.