Schrodinger's Packet

I’ve been in the process of:

  • Isolating traffic between VLAN’s within pfsense

  • Blocking almost all VLAN’s from being able to access the firewall interface

    When testing the firewall rules from devices within those VLAN’s it’s working as expected. However, when attempting to access the firewall from a device, which is offsite, but connected by an IPSec tunnel, I see that the packet’s are both blocked and passed at the same time:

Rule 8 is "@8(1000000103) block drop in log inet all label “Default deny rule IPv4"”. I’m guessing this falls under the WAN interface? I don’t know how to confirm this.
Rule 162 is “@162(1489834254) pass in log quick on enc0 inet all flags S/SA keep state label “USER_RULE: CLEAR””. This is an all clear rule that exists on the IPsec tab in the firewall rules.

Now I’ve tested this and I can indeed open the firewall’s web UI from devices connected over the IPSec tunnel. I’m assuming I’ll need to add some IPsec firewall rules. I’m jus really confused as to how traffic is showing as both blocked and passed at the same time.

Does anyone have an explanation for this?