Troubleshooting pfSense Firewall Rules: Fixing High Latency, Packet Loss, and 502 Bad Gateway Errors
Comprehensive guide to resolving pfSense firewall rule misconfigurations causing high latency, packet loss, and 502 bad gateway errors. Includes diagnostic comm
- Asymmetric routing caused by state mismatch is the most common cause of dropped packets and latency in pfSense.
- Hardware checksum offloading bugs with certain NICs (e.g., Realtek) frequently lead to packet loss and 502 Bad Gateway timeouts on reverse proxies.
- Improperly ordered rules (specifically default block rules superseding pass rules) or overly restrictive floating rules can inadvertently block legitimate traffic.
- Quick fix: Disable Hardware Checksum Offloading in System > Advanced > Networking, review firewall logs for blocked states, and ensure symmetric routing is maintained.
| Method | When to Use | Time | Risk |
|---|---|---|---|
| Disable Hardware Offloading | Experiencing general packet loss or 502 errors with specific NICs | 5 mins | Low |
| Bypass Firewall Rules for Asymmetric Routing | Multi-WAN setups or internal routers causing state drops | 15 mins | Medium |
| Adjust State Timeouts | Applications timing out prematurely behind the firewall | 10 mins | Low |
| Traffic Shaper (FQ_CODEL) | Bufferbloat or high latency under load | 30 mins | Medium |
Understanding the Error
When managing a pfSense appliance, firewall rules dictate the flow of traffic across interfaces. However, misconfigured rules, state table exhaustion, or hardware-level incompatibilities can manifest as severe network anomalies. Users typically experience these as high latency, consistent packet loss, or upstream application failures like 502 Bad Gateway errors when a reverse proxy (like HAProxy or Nginx) fails to reach backend servers through the firewall.
The firewall is a stateful packet inspection (SPI) device. It tracks the state of network connections. If a packet arrives that does not match an existing state or a permissive firewall rule, it is dropped. When dealing with complex routing (like Multi-WAN or policy-based routing), packets might leave one interface and return on another, leading to asymmetric routing. pfSense will drop the returning packets because they don't match the state table for the interface they arrived on, resulting in instant packet loss and high latency as TCP retransmissions stack up.
Step 1: Diagnose
Before modifying rules, you must identify where the drop is occurring. The pfSense firewall logs (Status > System Logs > Firewall) are your first stop. Look for the red 'X' indicating blocked traffic. If you see legitimate traffic being blocked by the Default deny rule IPv4 (1000000103), it confirms a rule or state issue.
Next, investigate state table issues and packet loss from the pfSense shell or Diagnostics > Command Prompt. You want to check if the state table is full, or if specific interfaces are dropping packets at the hardware/driver level.
Run a continuous ping from a client behind the firewall to an external IP (e.g., 8.8.8.8), and simultaneously run a packet capture (Diagnostics > Packet Capture) on the WAN interface filtering by the client's IP. If you see Echo Requests leaving but no Echo Replies returning, the ISP might be dropping it, or NAT is failing. If Replies return but don't reach the client, the firewall is dropping them on the way back.
For 502 Bad Gateway errors, this often indicates that while the connection to the proxy succeeds, the proxy's connection to the backend is failing. If the proxy and backend are separated by pfSense, check if pfSense is aggressively timing out idle TCP connections, or if hardware checksum offloading is corrupting packets between internal interfaces.
Step 2: Fix
Fix A: Disable Hardware Checksum Offloading
This is the most common culprit for unexplained packet loss and 502 errors, especially with Realtek NICs or virtualized pfSense instances (Proxmox, ESXi).
- Navigate to System > Advanced > Networking.
- Check the box for Disable hardware checksum offload.
- Check the box for Disable hardware TCP segmentation offload.
- Check the box for Disable hardware large receive offload.
- Click Save and Reboot the pfSense router. (A reboot is mandatory for these changes to take effect).
Fix B: Resolving Asymmetric Routing
If you have multiple internal routers or complicated VLANs, ensure pfSense is aware of the routing topology. If you cannot fix the physical topology to ensure symmetric routing, you must instruct pfSense to bypass state checking for specific traffic.
- Go to Firewall > Rules > Floating.
- Add a new rule.
- Action: Pass.
- Quick: Check (Apply the action immediately on match).
- Interface: Select the interfaces involved in the asymmetric routing.
- Protocol: TCP/UDP.
- Source/Destination: Define the affected subnets.
- Advanced Options: Under State type, select Sloppy State or None. (Sloppy state is generally safer as it still tracks some state but is less strict about sequence numbers).
- Save and Apply Changes.
Fix C: Addressing High Latency under Load (Bufferbloat)
If latency spikes only occur during heavy downloads/uploads, firewall rules aren't blocking traffic, but the queues are unmanaged. Implement FQ_CODEL limiters.
- Go to Firewall > Traffic Shaper > Limiters.
- Create a new Limiter for Download, set bandwidth slightly below your actual max download speed. Set Queue Management Algorithm to CoDel and Scheduler to FQ_CODEL.
- Create a child queue under this limiter.
- Repeat for Upload.
- Go to Firewall > Rules > LAN (or the interface where traffic originates).
- Edit your default pass rule (or create a specific one).
- Under Advanced Options > In/Out pipe, select your Upload queue for the 'In' pipe and Download queue for the 'Out' pipe.
- Save and Apply Changes. This will prioritize interactive traffic and drastically reduce latency spikes.
Fix D: Rule Order and Floating Rules
pfSense evaluates rules from top to bottom on a per-interface basis, stopping at the first match (unless it's a floating rule without 'Quick' selected). Ensure that overly broad block rules are not placed above your specific pass rules. Also, check Firewall > Rules > Floating. Floating rules apply before interface rules. A block floating rule might be dropping traffic before it even reaches your carefully crafted LAN rules.
Frequently Asked Questions
# Useful pfSense shell commands for diagnosing rule and state issues
# View the current state table
pfctl -s states
# Filter state table for a specific IP (e.g., 192.168.1.50)
pfctl -s states | grep 192.168.1.50
# View current pf rules loaded in memory
pfctl -sr
# Monitor dropped packets in real-time on the pflog0 interface
tcpdump -n -e -ttt -i pflog0
# Check network interface hardware capabilities (look for hardware checksumming offload - rxcsum, txcsum)
ifconfig -m ix0
# Kill all states for a specific host to force reconnection through new rules
pfctl -k 192.168.1.50Error Medic Editorial
Error Medic Editorial comprises senior DevOps and Site Reliability Engineers dedicated to demystifying complex network infrastructure and providing actionable solutions for enterprise systems.
Sources
- https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting.html
- https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#hardware-checksum-offloading
- https://forum.netgate.com/topic/132535/guide-troubleshooting-network-latency-and-packet-loss
- https://serverfault.com/questions/898740/pfsense-dropping-tcp-sa-packets-asymmetric-routing