Help! What is FW-Rule @237 ?

CryoGenID · Jan 17, 2007, 12:55 PM

Hello dear pfSense Users and Admins!

I have just installed a new server and restored the old config from the server before.

I can access the internet, but I cannot access OPT1-Interface (not from LAN or WAN).
The OPT1-Devices can ping each other, but not access WAN.

When I look into the FW-Log I see that all connections from WAN are blocked with this
message:
"@237 block drop in log quick all label "Default block all just to be sure""

Why is that happening?
On the old server it worked perfectly.

I am also writing this entry from behind this pfsense-installation, so outgoing traffic is no problem from
LAN.

A quick help would be perfect as I am currently standing in the datacenter and need to get this working :-(

LAN-FW-Entry:
* LAN net * * * * Default LAN -> any

WAN and OPT1 are bridged:

–--------------
bridge0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
ether 12:e2:7c:af:b6:d7
priority 32768 hellotime 2 fwddelay 15 maxage 20
member: le3 flags=7 <learning,discover,stp>port 4 priority 128 path cost 55 disabled
member: le2 flags=7 <learning,discover,stp>port 3 priority 128 path cost 55 forwarding
member: le1 flags=7 <learning,discover,stp>port 2 priority 128 path cost 55 forwarding

le3 is disabled because i tried another network-card-port to make sure that it is not a hardware problem ;-)

Any clues?

EDIT: pfSense is 1.0.1-SNAPSHOT-01-13-2007

Thanks a lot in advance,

best regards,

Chris</learning,discover,stp></learning,discover,stp></learning,discover,stp></up,broadcast,running,simplex,multicast>

hoba · Jan 17, 2007, 1:38 PM

This is the default block all rule that is the last rule present at all interfaces. This means no other previous listed rule did match for this traffic. Revisit your rules. Something must be set up wrong.

CryoGenID · Jan 17, 2007, 1:44 PM

Hello, Hoba!

Thanks for your reply!

Well I just used the backup i did on the old server a few minutes before… could it not have been correctly imported using that pfsense-version?

Should I go back to the latest stable (1.0.1) release possibly?

I really do not know what to do :-( (as i used the old backup file and the rules inside the webconfigurator all look the same as on the old server...)

what else could I do?

Thanks a lot!!

Christian

hoba · Jan 17, 2007, 1:51 PM

In this case go back to 1.0.1 release for now and try to evaluate your old config with the new snap in the lab before going on site ;)
(I had some kind of issue yesterday too with the latest snapshot and an imported multiwan setup; didn't have time to do further diagnosis on it yet)

CryoGenID · Jan 17, 2007, 1:53 PM

Thanks hoba, I will reinstall and keep you updated… thanks for the quick help!!

Christian

CryoGenID · Jan 17, 2007, 2:38 PM

It did not work :-(

Again the same problem… no traffic goes to the opt1-interface... not from WAN and also not
from LAN... Do you have another idea?

I could give ssh access to the firewall if you have the time to have a quick look at it?
(I hope the firewall permits the ssh access)
EDIT: no, i cannot access the fw via SSH even though it is activated within pfsense... :-( )
EDIT2: now all firewall blocks are @235

What can we do? ???

Thanks a lot,

Christian

hoba · Jan 17, 2007, 2:39 PM

Sounds like your backuped config.xml is somehow broken? What version did you run when you made the backup?

CryoGenID · Jan 17, 2007, 2:53 PM

that is a snapshot of 1.0.1 from the 7th of january i think…
I currently cannot access it as I have the new fw-server online currenty...

is there a log file on the pfsense in which i could have a look to find out what is going wrong?

EDIT: I now used an older backup file (from version 1.0.1 stable) and have the same problem...

The opt1-interface is locked out... i cannot ping into it from lan and have no access from wan...

Hoba, any other clues?

I am really beginning to get depressed over this :'(

hoba · Jan 17, 2007, 3:27 PM

What does status>interfaces report? Also check if the interface assignment is correct at interfaces>assign.

CryoGenID · Jan 17, 2007, 7:18 PM

Hoba,

thanks a lot for your reply.

I've now arrived at home again, so I will make a test-setup tomorrow and post here again.

For some reason, pfSense hates me :-(

Just to update you what I already did:
First I tried it on a HP DL 380 G2 with two 64-bit Intel 2-Port GBit NICs, then I bought
a new HP Blade BL20p G3 with 3 onboard GBit NICs.
With both servers pfSense lost packets.

Now I have created a VM for testing purposes and installed pfSense into the VM on
the DL 380 G2.
I hoped to fix the hardware/driver Problems of FreeBSD and my HP/Intel-HW with that virtualization
trick.
But now I cannot get access to the OPT1 interface (that the thread here).

Well tomorrow I will install a test-server for the OPT1-Interface and then I hope that I can solve this for once and
for all together with your help ;-)

I'll try to make the SSH-Access to the pfSense work so that you can have a look directly at it and don't
have to rely on my answers here ;-)

Hoba I wish you a pleasent evening!

Best regards,

Chris