Issue nat always need to reboot

killmasta93

HI
I was wondering if someone else has had this issue before,
Currently running pfsense 2.6.0 and whats odd is that every time i create a NAT i need to reboot pfsense to work,
Im not sure if its a pfblocker issue because i have to turn off pfblocker for it work, then when i try to turn it on the NAT does not work

not sure how o what i can troubleshoot the issue?

Thank you

johnpoz

@killmasta93 I take it you mean a port forward? This would not require a reboot of pfsense. There are very few things that would require a reboot, update being the big one. There are a few other things that might require it - but they are few. Kernel driver like AES-NI or QAT change or enable prob require.

But a firewall change, nope. What exactly are you doing, creating a new forward to say 192.168.1.100 on port X, changing an existing port forward to say 192.168.1.200 or something?

pfblocker depending how you have it setup could be blocking inbound traffic from specific lists or IPs based on geo data, etc.

If you want some help figuring out what is going on - really going to need some more specific details of what exactly your doing.

killmasta93

@johnpoz Thank you for the reply,
Correct ex: i try to create a new NAT to point to another IP and port, i check and it does not work, what i have to do is turn off pfBlocker, and then it starts working,
then after that i have to turn back on the pfBlocker and restart pfSense for it to work pfBlocker and the NAT
which currently im doing this at the moment but wanted to see how i can troubleshoot the issue,

as for pfBlocker the rules that i did were created above pfBlocker on the WAN so no reason to be blocking, and even if i turn it back on the pfBlocker wont block either, i have to reboot for it to start working

So not sure if its a pfBlocker issue or a NAT issue

Thank yo u

johnpoz

@killmasta93 you have no rules in floating from pfblocker. Or other?

If your rule that allows is above the rule in wan that pfblocker is blocking - then its not possible for pfblocker to be the problem.

And you sure do not need to reboot pfsense for any firewalls to take effect or for the order of rules to be done. You just need to apply the rules.

The only issue that can come about with reloading of rules, is existing states could still be in play. But those wouldn't have anything to do with a block. Blocks do not create states.

Are you using pfblocker aliases in your port forwards? I do for example, not really a fan of auto rules.

Can you show your rules where you think they should be allowed and are not? Is your inbound traffic being blocked, or just not working - I would suggest you set your rules to log, so you can see which rule is allowing, or blocking, etc.

killmasta93

@johnpoz Hi thank you for the reply,
Correct no floating rules
sure im attaching the rules

so in this case i have a rule to block everything beside south America to the ports 465

as you can see pfblocker is working an its on using alias

also tried to delete the states,

I know if i reboot it starts working everything

Thank you

johnpoz

@killmasta93 don't do it that way... If all you want to allow is SAmerica, then allow that in your port forward.. ! rules can be problematic.. There is no reason to do it how your trying to do it, you want to allow SAmerica, then allow that - don't try blocking everything else..

here is a port forward where I allow things to my plex. And the firewall rule it creates.

killmasta93

@johnpoz thank you for the reply,
so i did the following created the NAT

i recheck and it keeps showing the port opened

i was checking on the pfblocker it shows the packets being blocked but not really blocking

checking the states

then i checked the postfix logs the 192.168.1.6

and it shows contact to the VM

johnpoz

@killmasta93 and what do your firewall rules look like? Lets see your full wan rules, and you have zero rules on your floating.

What is this?

That is not firewall or log ? Do you have something in pfblocker creating auto rules?

Please post the full rule set of your wan.. You have something above allowing??

killmasta93

@johnpoz Thank you for the reply,
the photo that you attach is the log of pfBlocker showing that IP getting blocked but in reality its not blocking

pfblocker alias native

Thank you

johnpoz

@killmasta93 what is in that whitelist? That would allow anything that is in that list.

You would have to kill all the states from that IP, or no matter what rules you do it would be allowed..

killmasta93

@johnpoz
Thanks for the reply so deleted those rules

but still the same issue

killmasta93

hi @johnpoz so i ended up rebooting and started to work, very odd cant seem to find out the issue