I did a test of pfsense this weekend, temporarily replacing my PIX firewall with pfsense.
I was not able to communicate from the inside to the internet. I have a "catch-all" rule on the LAN side that should have allowed traffic through, but according to the logs, the default rule is being triggered, even though it is farther down in the list: (bge0 is the LAN interface) >From pfctl -s rules -vv : @108 pass in quick on bge0 all flags S/SA keep state label "USER_RULE: catchall" . . . @115 block drop in log quick all label "Default deny rule" A log entry: pf: 710005 rule 115/0(match): block in on bge0: (tos 0x0, ttl 63, id 14015, offset 0, flags [DF], proto TCP (6), length 64) 10.x.y.z.80 > 72.30.xxx.xxx.54707: S, cksum 0xb09a (correct), 1222312383:1222312383(0) ack 2341411941 win 49232 <nop,nop,timestamp 12784312 1491842314,mss 1460,nop,wscale 0,nop,nop,sackOK> The ip's on the inside (10.x.y.z) are not on the LAN subnet, but are on other internal subnets that are being routed to pfsense. There are static routes for the internal networks that point to the inside router that pfsense is connected to. So.... why is rule 115 getting matched and not 108? --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
