Limiter Host Blocked From Leaving LAN ; TCP:SA Blocked
-
My Setup :
Here is my setup :
Router AN5506-04 - PPPOE (dynamic) - Pfsense - switch - LAN
Rules :
WAN
IPv4+6 TCP/UDP * * * * * none
LAN
IPv4+6 * PenaltyBox * * * * none
IPv4+6 * LAN net * * * * noneHost in PenaltyBox (assigned with limiter In/Out) recorded a lot of TCP : SA blocked.
Direction=OUT LAN 203.114.28.25:80 192.168.3.83:56445 TCP:SA block/1000000104
Direction=OUT LAN 203.114.28.25:80 192.168.3.83:56444 TCP:SA block/1000000104
Direction=OUT LAN 216.58.196.206:80 192.168.3.83:56414 TCP:SA block/1000000104How can i fix this?
-
-
Use screenshots next time. Much easier to read.
-
Get rid of that WAN rule ASAP! You should not have rules on WAN unless you are allowing unsolicited access inbound, like a port-forwarded web server, for example.
-
That may be out of state traffic being blocked by the default deny rule. Are you experiencing any actual usage issues?
-
-
What rule is blocking them? I assume the default, but figured it's worth asking.
-
@KOM:
-
Use screenshots next time. Much easier to read.
-
Get rid of that WAN rule ASAP! You should not have rules on WAN unless you are allowing unsolicited access inbound, like a port-forwarded web server, for example.
-
That may be out of state traffic being blocked by the default deny rule. Are you experiencing any actual usage issues?
1)Thanks for the tips.
2) Removed
3) Not able to access IPv6-only location. -
-
What rule is blocking them? I assume the default, but figured it's worth asking.
Yes. Default blocking. But once i removed the IN/OUT limit, no block recorded.
-
It's usually out of state traffic when you see stuff blocked when there are no blocks other than default deny.
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection
-
@KOM:
It's usually out of state traffic when you see stuff blocked when there are no blocks other than default deny.
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection
Usually it was. But this time i doubt that since it's only applicable to those ip that i put limiter. Any idea?