My Firewall rules suddently stops working?
-
Hello Guys'n gals :)
I've got a Pfsense box running, and i really enjoy experimenting with it.
Since I'm a home user i have DHCP IP from my ISP, and I'm suspicious that this might be the reason to the problem described below.It has happended several times that my Firewall suddently stops working. When i call the publicIP:PORT which I'm absolutely sure worked previously, then i just get timeout. To make that even more mysterious, there pops no block-event up in the firewall log.
The only firewall rule that works is the wan forward I've made to the pfsense-box's own local ip. That appears to work.
Also I've made sure that I can connect to the same port locally. This problem only seemed to appear when i recieved a new DHCP lease with a new IP. Two times i just did a quick solve by reformatting the box with a fresh pfsense install, but last time the firewall was buggy even before i was done configuring the new install. That could be because i assigned WAN and LAN NIC's wrong, so when i booted Pfsense first time, it resolved no WAN IP, because of the WAN port being connected to my LAN-switch and the LAN port being connected to my WAN-modem.
I hope theres a fix for this, because sooner or later I'm going to use Pfsense for critical 24/7 ethernet, and would like to know how to either avoid this or fix it, so that I dont have to tell everyone in the building that there wont be any connectivity to the internet for a few mins, because i have to format and reconfigure pfsense :D
Kindly regards, Sune W.
-
Perhaps you can provide more details like the version of PFsense, the hardware used and a little more details on the problem. I'm not sure I understand what the problem you're facing is.
Do you mean to say that:
-
The pfsense box locks-up completely?
-
The Firewall rules fail to block traffic?
-
NAT rules don't work?
-
No traffic is being routed between the LAN and WAN?
-
-
I'm pretty sure the version is 1.2.2
My hardware is an old fujitsu siemens tower with Pentium 3, SCSI HDD and 256mb ram.The problem is, it seems that whenever my dynamic IP changes, and i can see it from the Status->Interfaces in the pfsense webGUI, then my NAT rules are no longer forwarding.
It does not seem to be the firewall itself blocking it, as I would then expect a block event to be logged in the firewall log.Fx I could have a website running with standard configuration @ port 80, on another box.
- I set up a NAT- and firewall rule for port 80, forwarding it to the box.
- I jump over to my laptop and I call my WAN IP in Firefox. I see the website as expected.
- I get a new DHCP-assigned (dynamic) IP assigned, as a cause of cable-rearrange or a long shutdown of the pfsense box.
- The network connection is restored to pfsense, and pfsense is rebooted to make sure the WAN is connected correctly again.
- I jump over to my laptop and I call my new WAN IP in Firefox. I get a timeout, the page could not be shown.
- I call the website-box's local IP in firefox, and I instantly recieve the webpage as expected.
It seems weird how the traffic doesn't go through the firewall all of sudden, but it is even weirder that one rule actually works. The rule for port 445 does work, and that's for pfsense webGUI.
Hope you understand,
Kindly Regards, Sune.
-
Where is your laptop from which you test?
Directly on the same subnet as the WAN?
It kind of sounds as if you're with your laptop on the LAN subnet and try to access your server via the WAN IP.
Did yiu enable NAT reflection or set up split DNS? -
my laptop is connected to the same switch as everything else described..
Laptop had like 192.168.1.5
Webserver like 192.168.1.8
These, btw, are assigned automaticly by the pfsense DHCP per MAC-mappings.I'm unsure what NAT reflection is, and I've not changed anything related to DNS, than assigning my ISP dns-servers in the general configuration of pfsense
Regards, Sune.
-
my laptop is connected to the same switch as everything else described..
Laptop had like 192.168.1.5
Webserver like 192.168.1.8
These, btw, are assigned automaticly by the pfsense DHCP per MAC-mappings.I'm unsure what NAT reflection is, and I've not changed anything related to DNS, than assigning my ISP dns-servers in the general configuration of pfsense
Regards, Sune.
To remove the possibility that the DHCP isn't actually properly assigning the address. Can you try assigning a static IP address for the Webserver on the unit itself?
NAT reflection is under the System Menu -> Advanced -> Network Address Translation page. Uncheck the Disable NAT Reflection checkbox to enable the function.
Without enabling NAT reflection, computers in the LAN subnet won't be able to access port forwarded servers via the WAN IP address.You might also want to try enabling AON (Manual outbound NAT) for the Webserver in case the software is a little cranky (unlikely though).
-
my laptop is connected to the same switch as everything else described..
Laptop had like 192.168.1.5
Webserver like 192.168.1.8
These, btw, are assigned automaticly by the pfsense DHCP per MAC-mappings.I'm unsure what NAT reflection is, and I've not changed anything related to DNS, than assigning my ISP dns-servers in the general configuration of pfsense
Regards, Sune.
I kind of dont see where you describe your setup ^^;
You can leave the DHCP stuff. It works.
Otherwise you wouldnt be able to access anything.The solution to your problem (there are multiple possibilities to solve this):
http://faq.pfsense.com
–> http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F -
Hi again.
Thank you very much, I will look into this later today or tomorrow since I'm quite busy at the moment, and the servers aren't running already.My pal' weren't joking when he said that guys here are very helpful :)
I will surely be back to these forums to contribute myself ;)
Have a nice day.
Regards, Sune W. -
Hello again.
It seems that NAT reflection was the problem. I was just so sure I tested the ports from my home-computer, which has a different WAN IP and not in any way connected to the pfsense LAN.
Well it worked, and I'm very grateful :)
Thanks,
Sune W.