PfSense blocks TCP States from LAN to Internet

  • Hi,

    I have problems with TCP states (TCP:S etc.) that get blocked when a LAN client connects to a server from internet. That changes from time to time, today I can´t access homepage for example. My network looks like this:

    Internet –> Cable Modem --> PfSense FW --> simple home switch --> Wifi Repeater

    The problems occur when connected directly via cable to to switch or via wifi to the wifi receiver...

    I enabled "Bypass firewall rules for traffic on the same interface" under System-->Advanced and created asymmetric routing rules that allows:

    Interface: LAN
    Proto: TCP
    Source: LAN net
    Target: Any
    TCP flags: Any
    State type: sloppy state

    The same under Floating tab.

    Attached are some screenshots of my rules and firewall logs (blocking a LAN client connection to internet server)...

    Have anybody a clue whats wrong in my config?

    Thanks for help!


  • What you're trying to work around isn't relevant to your environment unless it's really messed up. Remove the floating rule, remove the second rule on LAN (it'll never match anything anyway), can uncheck "Bypass firewall rules for traffic on the same interface" or leave it there (it has no impact where you have no static routes, which you shouldn't from the sounds of it).

    Click on the X in the firewall logs, what's blocking it? I'm guessing maybe you have Snort with blocking enabled and have signatures enabled that are prone to false positives.

  • Hi cmb,

    thanks for reply!

    The rules on Floating an LAN tab was there, because I had problems with Virtualbox VMs on my Notebook (VM was NATed to internal real network).
    Only described it here to show a complete overview of my network and firewall settings…btw does that sloopy state rules impact firewall security?

    You were right, I use snort and indeed snort http ruleset blocked the traffic, I made some exceptions to the suppress list and I will monitor the future behaviour...
    Thanks for that hint!


Log in to reply