Very strange bug in firewall behavior. Pfsense blocks another IP
-
Hi,
I've just encountered a very strange bug in the firewall.
I have been using OpenVPN to remotely connect to our network. There is a firewall rule that allows specific domains in an alias to access the OpenVPN service from the Internet.
One of the domains in the alias list is dync------.mydomain.network. I host this domain on Squarespace and update the A record manually whenever I want to VPN from my phone.
The problem is that if I set the IP of that specific domain to 31.94.64.11, the firewall blocks it and logs that the connection is from 31.94.64.10 (-1).
This is something I can easily reproduce with any IP.
Following is the A record of the domain in square space:
This is how it is resolved by the pfsense:
And this is the pfsense firewall log
Firewall rule
Do you have any idea about the root cause?
-
@localhostx said in Very strange bug in firewall behavior. Pfsense blocks another IP:
Do you have any idea about the root cause?
How about checking the rule "OpenVPN UDP - Block undefined/unsafe sources and log (1680558643)"? If this is just a general block rule, check the tables in diagnostics.
-
It is a general block rule in the above firewall screenshot (the third one). The whitelisting is the first rule, and I expect it to allow access.
The interesting thing is that, regardless of what I whitelist, the firewall perceives it as -1. If my IP ends in .11, pfSense logs it as .10.
I started to suspect that my mobile ISP (EE) might be causing this issue by assigning an IP of 31.94.64.11, performing some inspection, and then redirecting it as 31.94.64.10.
I will test it with another ISP to confirm.
