https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162017-12-30T22:08:21ZpfSense bugtrackerpfSense - Bug #8247: When in bridge / transparent mode, pfSense blocks UDP/4500 & ESP traffic regardless of originhttps://redmine.pfsense.org/issues/8247?journal_id=354882017-12-30T22:08:21ZTravis McMurry
<ul></ul><p>sorry about the trailing open-ended sentence. should have edited it out. :)</p> pfSense - Bug #8247: When in bridge / transparent mode, pfSense blocks UDP/4500 & ESP traffic regardless of originhttps://redmine.pfsense.org/issues/8247?journal_id=354992018-01-02T17:20:46ZTravis McMurry
<ul></ul><p>In the days since I created this bug, I continue to observe pfSense filtering out inbound return UDP traffic unless explicitly permitted with source IPs and ports. It's more than just my original claim with VPN, that was just the first source. I see it blocking WS-Discovery, DHCPv6, IPv6 multicast broadcasts, and more.</p>
<p>My default outbound permit on the subnet is IPv4/IPv6, protocols (all), source (inside), destination (any). TCP traffic is fine, but return UDP traffic isn't - despite the state table reflecting the UDP session is open.</p> pfSense - Bug #8247: When in bridge / transparent mode, pfSense blocks UDP/4500 & ESP traffic regardless of originhttps://redmine.pfsense.org/issues/8247?journal_id=361462018-03-29T16:31:08ZTravis McMurry
<ul></ul><p>Fast Forward to a new pfSense 2.4.3 installation in <strong>routed</strong> mode and the same behavior occurs:</p>
<ul>
<li>Only one rule in network: Permit IPv4/IPv6, Protocol All, source 10.10.40.0, destination any</li>
<li>Only one NAT rule: Translate 10.10.40.0/24 across WAN interface (static port is checked, also tried unchecked; tried "Keep" & "Sloppy" States)</li>
<li>Initiate Cisco AnyConnect VPN session from 10.10.40.15 to 208.231.72.44 (Xlate IP: 73.0.255.142)</li>
<li>Outbound Traffic flow is permitted</li>
<li>Inbound Traffic flow is denied: Interface: WAN Rule: Default deny rule IPv4 (1000000103) SRC: 208.231.72.44 Dst: 73.0.255.142 UDP</li>
<li>Inbound Traffic flow is denied: Interface: WAN Rule: Default deny rule IPv4 (1000000103) SRC: 208.231.72.44:4500 Dst: 73.0.255.142:4500 UDP</li>
</ul>
<p>It looks like what is happening is the initial request outbound is from my IP (random port) to destination IP, port 443 TCP. The AnyConnect endpoint responds with two UDP sessions as shown above. I believe pfSense is not expecting the far end to return with UDP instead of TCP, therefore is terminating the connection via default rule.</p>
<p>The workaround seems to be:</p>
<p>In System -> Advanced -> Firewall/NAT -> UNCHECK "Disable Firewall Scrub"</p>
<p>Once that is in place, AnyConnect was able to work without any changes to the AnyConnect Client with only one rule on the Work interface - any protocol any source/dest; with "keep" state & dynamic port.</p> pfSense - Bug #8247: When in bridge / transparent mode, pfSense blocks UDP/4500 & ESP traffic regardless of originhttps://redmine.pfsense.org/issues/8247?journal_id=418232019-08-20T13:13:12ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Not a Bug</i></li></ul><p>I don't see a bug here, but quirky remote equipment that needs special rules to handle those quirks. Of course a firewall doesn't expect to see UDP in response to a TCP connection. That's not the firewall's fault.</p>