Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules blocking on interface stopped working

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 134 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sater1957
      last edited by

      We have a firewall(currently Netgate 4200, running 24.11 -RELEASE) that has a rule on an interface blocking a range of clients getting out of the interface. Originally it was just the default rule, which always worked, but after what happened(I will describe) we added an explicit rule, made no difference.

      Firewall is from a sports-organization (Bridge actually) that is used worldwide for a couple of weeks and then stored again.

      Rule was tested directly after setup, and worked as always. Yesterday however at start of tournament the rule did not work anymore. Whatever we tried, changing rules, trying to log, nothing worked. All hosts on that network could access Internet.

      At the end of the day we rebooted the firewall, problem gone.

      We have racked our brains what we could have done to cause this. Clearly it is a bug, but what triggered it?
      One thing we did between initial tests and actual play was delete one unused interface from the firewall. This interface was in the list above the effected interface. Theory: this messed up numbers and caused wrong ruleset to be used.
      One other thing was add a couple of NAT rules to the WAN interface.

      Clearly we have no idea. Does this ring a bell somewhere?

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        SteveITS Rebel Alliance @sater1957
        last edited by

        @sater1957 Per https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied, a Status > Filter Reload should load the rule set and show any errors. Also, as noted once connections are open you would need to kill those open states/connections in order to block them. (new connections should be blocked though)

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
        Upvote 👍 helpful posts!

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          sater1957 @SteveITS
          last edited by

          @SteveITS

          They were not existing connections. In fact the tablets involved were just powered on and connected to the existing WiFi network with the existing firewall rules.
          It is just that the rules had mysteriously vanished(or anyhow that is exactly how it behaved).

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.