pfSense core router issue: default deny keeps blocking some things

I run a lab at work that is a couple hundred VMs, spread across ~50 VLANs that are all routed by one core router. We have been using a Palo Alto, but last Thursday I setup a spare server as a pfSense box just to have as a backup. At first I setup the box with the firewall turned off since it was only a router, but I quickly discovered that basically nothing gets logged when you do this. I setup the most permissive floating rules possible so that I can log the traffic.

Quick match, any interface, any direction, any protocol, any flag, log traffic.

My environment lives on a secured network with many layers of security long before anything touches this router (and the IPv6 doesn’t have any path out as our corporate overlords are IPv4 only). This is working for the vast majority of the traffic just fine, but some small percentage seems to keep getting blocked by the “default deny rule” with a protocol listed as TCP:A and I can’t for the life of me figure out why.

Netgate’s documentation suggested that it may be an asymmetric routing situation. Troubleshooting — Troubleshooting Asymmetric Routing | pfSense Documentation

It doesn’t seem to apply to me though as I have no static routes defined, nor do my networks have multiple gateways.

Anyway, if anyone knows what weird edge case I have here, I’d appreciate any insight.

Do you have any devices other than the pfSense box with interfaces on multiple VLANs?

Also, a device with an incorrect netmask setting could cause asymmetric routing.

1 Like

There are a couple switches in the physical laptop testing area that do, but I’m not seeing the issue on those subnets.

Interesting, but this shouldn’t be happening as we configured everything with DHCP. I’ll check it out all the same to be sure though.