Traffic between IP aliased LAN subnets blocked despite rules allowing it
-
I've just activated a dual pfSense 2.0.3 setup on hacom hardware to replace an ancient Juniper Netscreen-25. I have an Ethernet WAN connection using CARP on my side and HSRP on the provider side, with 3 subnets routed to my WAN address by the provider.
These three subnets all live on the same LAN Ethernet inside the firewall. The first subnet is configured as the LAN address, and the second and third are configured as IP Aliases with CARP on top of them; I wasn't able to figure out how to stack multiple IP aliases on top of one CARP interface.
I have the "Bypass firewall rules for traffic on the same interface" box checked, although I don't have any static routes defined, and I have a permit any to any rule on the LAN interface.
NAT is set to manual, and no NAT rules are defined; there are public IP addresses on both sides of the firewall.
I'm seeing entries in the firewall log indicating that some LAN-to-LAN packets are being denied by the default deny rule, as well as some LAN-to-WAN packets, and I'm seeing errors in the logs on those servers that confirm that some connections are failing or being dropped.
Any thoughts on where I go next to allow all LAN-to-LAN traffic to pass between subnets? Is pfSense losing state on these LAN-to-LAN connections?
198.87.233, 128.121.19, and 168.143.180 are all LAN networks inside the firewall.
-
You can't keep strict state in that scenario. You'll need some sloppy state floating rules and interface rules for traffic passing between those subnets, especially since it appears some of the hosts are dual stacked on both networks.
-
Thanks, that seems to have done it. With this as a hint, I was able to find http://forum.pfsense.org/index.php?topic=54568.0 which mentions another essential detail - there has to be a floating rule just for TCP, and have the TCP "Any Flags" box checked. With this floating rule in place, and the interface accept-any rule set to sloppy state, I'm no longer rejecting any packets in on my LAN interface.