pfSense Gold Subscription

Author Topic: Allowed traffic showing as blocked by non-active Firewall in 2 firewall config  (Read 1132 times)

0 Members and 1 Guest are viewing this topic.

Offline saxd40

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
I have 2 pfSense 1.2.3-RELEASE firewalls set up with CARP.  Config:

LAN 172.20.0.0/16
DMZ 172.19.0.0/16

the LAN has full access to initiate connections to the DMZ and everything appears to work fine.  I compared the firewall rules on the primary and secondary pfSense boxes and they are identical.

I have "Log packets blocked by the default rule" turned on on both pfsense boxes.

Everything looks fine in the firewall log on the primary pfSense box, but the odd thing I see is that the non-active pfSense box firewall log is showing traffic from the LAN to the DMZ as being blocked by:

Source: 172.20.x.y (LAN)
Destination: 172.19.a.b (DMZ)

   @220 block drop in log quick all label "Default deny rule"

Is this some hidden rule that keeps the non-active pfSense box from duplicating the traffic onto the DMZ?  Seems like if that was the case there would be a similar rule and weird entries for the WAN interface (which I'm not seeing).

Thanks,
Sam

Offline saxd40

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Ah, I think I have a better understanding of what is really happening here.

The only IP addresses that are showing up are ones that are for a Microsoft Load Balanced IP with two members.  I guessing what is getting blocked are the packets that are viewed as out of order by the non-active based on the fact that the primary firewall has already gotten past the part of the connection setup that a given packet type would be expected.

So sorry for the false-alarm.  I just noticed when I went back through the logs that it was only happening on the LB IPs. 

The more I'm exposed to this implementation of load balancing the less I like it--unfortunately, we are committed to this at least for the near future.