Hi, I noticed the following behavior of the firewall: when a connection should be blocked by a rule, the 1st packet (or whatever) is allowed, the firewall logs this, and the rule is triggered on the next packet and the following packets as expected. Is this by design, or can be avoided by some settings?
What version of PFSense, and what is it running on
Have you installed Patches application and installed all latest patches
Current Base System: 24.11
running in white box: Xeon W-2135, 32GB RAM, WAN+10VLAN+7VPN
all patches applied
no errors or misconfiguration reported
Seems it happens only for a port forwarding situation. Although the block rule is applied to the WAN interface, and the log contains the destination port of the destination IP (which is different from the destination port of the WAN interface).
Do you have a packet capture of this happening? How do you know this is what’s going on? Please provide all the evidence.
I have a packet capturing and a Syslog collector. The firewall log contains, chronologically, a pass entry and after that some blocked entrys, for the same connection (source IP, destination IP, ports, etc).