Not rules blocking all traffic?
-
Can you post the firewall rules section of your config.xml to go with that?
-
<nat><outbound><mode>advanced</mode>
<rule><interface>wan</interface>
<source>
<network>127.0.0.0/8</network><dstport>500</dstport>
<target>pfsense_ip</target>
<destination><any></any></destination>
<staticnatport><created><time>1409705427</time>
<username>Manual Outbound NAT Switch</username></created></staticnatport></rule>
<rule><interface>wan</interface>
<source>
<network>127.0.0.0/8</network><sourceport><target>pfsense_ip</target>
<destination><any></any></destination>
<natport><created><time>1409705427</time>
<username>Manual Outbound NAT Switch</username></created></natport></sourceport></rule>
<rule><interface>wan</interface>
<source>
<network>10.0.35.0/24</network><dstport>500</dstport>
<target>pfsense_ip</target>
<destination><any></any></destination>
<staticnatport><created><time>1409705427</time>
<username>Manual Outbound NAT Switch</username></created></staticnatport></rule>
<rule><interface>wan</interface>
<source>
<network>10.0.35.0/24</network><sourceport><target>pfsense_ip</target>
<destination><any></any></destination>
<natport><created><time>1409705427</time>
<username>Manual Outbound NAT Switch</username></created></natport></sourceport></rule>
<rule><source>
<network>10.0.35.0/24</network><sourceport><target>other-subnet</target>
<targetip>static_ip</targetip>
<targetip_subnet>32</targetip_subnet>
<interface>wan</interface>
<poolopts><destination><any></any></destination>
<created><time>1412481217</time>
<username>admin@10.0.35.34</username></created>
<updated><time>1412481365</time>
<username>admin@10.0.35.34</username></updated></poolopts></sourceport></rule>
<rule><interface>wan</interface>
<source>
<network>10.0.36.0/24</network><dstport>500</dstport>
<target>pfsense_ip</target>
<destination><any></any></destination>
<staticnatport><created><time>1409705427</time>
<username>Manual Outbound NAT Switch</username></created></staticnatport></rule>
<rule><interface>wan</interface>
<source>
<network>10.0.36.0/24</network><sourceport><target>pfsense_ip</target>
<destination><any></any></destination>
<natport><created><time>1409705427</time>
<username>Manual Outbound NAT Switch</username></created></natport></sourceport></rule>
<rule><source>
<network>10.0.37.0/24</network><sourceport><target><targetip><targetip_subnet>0</targetip_subnet>
<interface>wan</interface>
<poolopts><destination><any></any></destination>
<updated><time>1412448328</time>
<username>admin@10.0.35.46</username></updated>
<created><time>1412448328</time>
<username>admin@10.0.35.46</username></created></poolopts></targetip></target></sourceport></rule>
<rule><interface>wan</interface>
<source>
<network>10.6.16.0/24</network><dstport>500</dstport>
<target>pfsense_ip</target>
<destination><any></any></destination>
<staticnatport><created><time>1409705427</time>
<username>Manual Outbound NAT Switch</username></created></staticnatport></rule>
<rule><interface>wan</interface>
<source>
<network>10.6.16.0/24</network><sourceport><target>pfsense_ip</target>
<destination><any></any></destination>
<natport><created><time>1409705427</time>
<username>Manual Outbound NAT Switch</username></created></natport></sourceport></rule>
<rule><interface>wan</interface>
<source>
<network>10.0.37.0/24</network><dstport>500</dstport>
<target>pfsense_ip</target>
<destination><any></any></destination>
<staticnatport><created><time>1412449058</time>
<username>Manual Outbound NAT Switch</username></created></staticnatport></rule>
<rule><interface>wan</interface>
<source>
<network>10.0.37.0/24</network><sourceport><target>pfsense_ip</target>
<destination><any></any></destination>
<natport><created><time>1412449058</time>
<username>Manual Outbound NAT Switch</username></created></natport></sourceport></rule>
<rule><interface>wan</interface>
<source>
<network>10.8.17.0/24</network><dstport>500</dstport>
<target>pfsense_ip</target>
<destination><any></any></destination>
<staticnatport><created><time>1412449058</time>
<username>Manual Outbound NAT Switch</username></created></staticnatport></rule>
<rule><interface>wan</interface>
<source>
<network>10.8.17.0/24</network><sourceport><target>pfsense_ip</target>
<destination><any></any></destination>
<natport><created><time>1412449058</time>
<username>Manual Outbound NAT Switch</username></created></natport></sourceport></rule></outbound>
<rule><source>
<any><destination><network>wanip</network>
<port>52746</port></destination>
<protocol>tcp</protocol>
<target>10.0.35.2</target>
<local-port>52746</local-port>
<interface>wan</interface><associated-rule-id><updated><time>1409244077</time>
<username>admin@10.0.35.46</username></updated>
<created><time>1409244077</time>
<username>admin@10.0.35.46</username></created></associated-rule-id></any></rule></nat>
<filter><rule><direction>in</direction>
<source>
<any><destination><network>wanip</network>
<port>1194</port></destination>
<interface>wan</interface>
<protocol>udp</protocol>
<type>pass</type>
<enabled>on</enabled>
<created><time>1409244432</time>
<username>OpenVPN Wizard</username></created></any></rule>
<rule><id><tracker>1409700904</tracker>
<type>pass</type>
<interface>wan</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>static_ip</address><port>80</port></destination>
<created><time>1409700904</time>
<username>admin@10.0.35.34</username></created>
<updated><time>1409705218</time>
<username>admin@10.0.35.34</username></updated></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule></filter> -
<rule><id><tracker>1409705236</tracker>
<type>pass</type>
<interface>wan</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>static_ip</address><port>443</port></destination>
<updated><time>1409705236</time>
<username>admin@10.0.35.34</username></updated>
<created><time>1409705236</time>
<username>admin@10.0.35.34</username></created></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><direction>in</direction>
<source>
<any><destination><network>wanip</network>
<port>1195</port></destination>
<interface>wan</interface>
<protocol>udp</protocol>
<type>pass</type>
<enabled>on</enabled>
<created><time>1412434807</time>
<username>OpenVPN Wizard</username></created></any></rule>
<rule><type>pass</type>
<ipprotocol>inet</ipprotocol><interface>lan</interface>
<tracker>0100000101</tracker>
<source>
<network>lan</network><destination><any></any></destination></rule>
<rule><type>pass</type>
<ipprotocol>inet6</ipprotocol><interface>lan</interface>
<tracker>0100000102</tracker>
<source>
<network>lan</network><destination><any></any></destination></rule>
<rule><id><tracker>1412478575</tracker>
<type>pass</type>
<interface>lan</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>lan</network><destination><network>opt3</network></destination>
<created><time>1412478575</time>
<username>admin@10.0.35.34</username></created>
<updated><time>1412479745</time>
<username>admin@10.0.35.34</username></updated></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><id><tracker>1412482204</tracker>
<type>pass</type>
<interface>lan</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>lan</network><destination><network>wan</network></destination>
<created><time>1412482204</time>
<username>admin@10.0.35.34</username></created>
<updated><time>1412482975</time>
<username>admin@10.0.35.34</username></updated></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><id><tracker>1412483404</tracker>
<type>pass</type>
<interface>lan</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>lan</network><destination><address>static_ip</address></destination>
<updated><time>1412483404</time>
<username>admin@10.0.35.34</username></updated>
<created><time>1412483404</time>
<username>admin@10.0.35.34</username></created></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><id><tracker>1412486451</tracker>
<type>pass</type>
<interface>lan</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>lan</network><destination><address>Block_VLAN10</address></destination>
<updated><time>1412486451</time>
<username>admin@10.0.35.34</username></updated>
<created><time>1412486451</time>
<username>admin@10.0.35.34</username></created></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><source>
<any><destination><any></any></destination>
<interface>openvpn</interface>
<type>pass</type>
<enabled>on</enabled>
<created><time>1409244432</time>
<username>OpenVPN Wizard</username></created></any></rule>
<rule><source>
<any><destination><any></any></destination>
<interface>openvpn</interface>
<type>pass</type>
<enabled>on</enabled>
<created><time>1412434807</time>
<username>OpenVPN Wizard</username></created></any></rule>
<rule><id><tracker>1409279741</tracker>
<type>pass</type>
<interface>opt1</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>opt1</network><destination><any></any></destination>
<updated><time>1409279741</time>
<username>admin@10.0.35.34</username></updated>
<created><time>1409279741</time>
<username>admin@10.0.35.34</username></created></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> -
<rule><id><tracker>1409962216</tracker>
<type>pass</type>
<interface>opt3</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>opt3</network><destination><any></any></destination>
<created><time>1409962216</time>
<username>admin@10.0.35.57</username></created>
<updated><time>1412447330</time>
<username>admin@10.0.35.46</username></updated></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><id><tracker>1412479159</tracker>
<type>pass</type>
<interface>opt3</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>opt3</network><destination><network>lan</network></destination>
<created><time>1412479159</time>
<username>admin@10.0.35.34</username></created>
<updated><time>1412487427</time>
<username>admin@10.0.35.34</username></updated></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><id><tracker>1412484062</tracker>
<type>block</type>
<interface>opt3</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>opt3</network><destination><network>lan</network></destination>
<updated><time>1412484062</time>
<username>admin@10.0.35.34</username></updated>
<created><time>1412484062</time>
<username>admin@10.0.35.34</username></created></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><id><tracker>1409962254</tracker>
<type>pass</type>
<interface>opt4</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>opt4</network><destination><any></any></destination>
<updated><time>1409962254</time>
<username>admin@10.0.35.57</username></updated>
<created><time>1409962254</time>
<username>admin@10.0.35.57</username></created></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><id><tracker>1409962576</tracker>
<type>pass</type>
<interface>opt4</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source><address>static_ip</address>
<destination><any></any></destination>
<created><time>1409962576</time>
<username>admin@10.0.35.57</username></created>
<updated><time>1409968567</time>
<username>admin@10.0.35.34</username></updated></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><id><tracker>1412484005</tracker>
<type>pass</type>
<interface>opt4</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source><address>static_ip</address>
<destination><network>lan</network></destination>
<updated><time>1412484005</time>
<username>admin@10.0.35.34</username></updated>
<created><time>1412484005</time>
<username>admin@10.0.35.34</username></created></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><id><tracker>1412436234</tracker>
<type>pass</type>
<interface>opt4</interface>
<ipprotocol>inet</ipprotocol>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<any><destination><network>opt4ip</network>
<port>1195</port></destination>
<disabled><created><time>1412436234</time>
<username>admin@10.6.16.6</username></created>
<updated><time>1412437006</time>
<username>admin@10.6.16.6</username></updated></disabled></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> -
This pull request should fix it: https://github.com/pfsense/pfsense/pull/1305
and I expect also fix some cases when doing !WANnet !LANnet etc when the interface does not have any VIPs.
Tested on:
2.2-BETA (amd64)
built on Sat Oct 04 19:25:31 CDT 2014
FreeBSD 10.1-PRERELEASEwith these edits to filter.inc
-
The Saturday version is the one I'm running with the problem.
-
You can change /etc/inc/filter.inc and test that it fixes the problem if you like.
The raw text of the fixed filter.inc is:
https://raw.githubusercontent.com/phil-davis/pfsense/patch-2/etc/inc/filter.incCopy all the text from the browser link above (ctrl-A, ctrl-C)
Use Diagnostics->Edit File
Load /etc/inc/filter.inc
Select all the text and paste the new text over (ctrl-A, ctrl-V)
SaveThen make a rule edit/save to force it to reload the rules.
Hopefully the "not" rules start to work correctly.
Disclaimer: only do this sort of thing on test systems where you are happy to spend time recovering if you accidentally paste bad/invalid code into a critical file.
-
For whatever reason it didn't work either. Later today I will wipe, start from scratch and report back.
-
All working now after a clean reinstall. Also cleared up a few other problems i was having.
-
All working now after a clean reinstall. Also cleared up a few other problems i was having.
Great to know it is working - I was wondering if there was going to be some other obscure edge case that the code did not handle.