Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing to WAN fails when adding a LAN NIC

    Routing and Multi WAN
    1
    2
    104
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      interconnect
      last edited by

      First of all I'll start by confirming it's a bug - since backing up config, resetting to factory and restoring config solved it. The big but (butt) here is WHY this might have happened and also another horrible issue that follows this.

      Platform is latest 2.4.5-RELEASE-p1 on VMWare 6.7.
      4 CPUs allocated, 8GB RAM and plenty of disk. Resource use is at less than 2% so it's not resource depletion since the FW, NAT and other rules are very simple.

      Background :

      1. Had pfSense with 6 NICS (1x WAN, 5x LAN to different VLANs implemented as virtual NICs) installed with a bunch of pretty simple NAT and FW rules. No big deal. Everything works.

      2. Had pfBlockerNG installed together with Squid but left Squid disabled right now. pfBlockerNG enabled with geo blocking. So far so good everything worked.

      Issue 1:

      1. Added a 7th NIC to another VLAN.

      2. Internal access from the VLAN to pfSense worked and so did all internal communication with other VLANs allowed on the FW rules. WAN access, however, didn't work. NO PACKET COMES IN OR OUT ON THE WAN to NIC7.

      3. Tried resetting arp, checked every possible log, tried every possible action - ditto.

      4. Backed up config, factory reset, restore config - FIXED.
        This means this is an internal error in some internal table that cannot be cleared.

      Issue 2:

      1. From that point onwards - any change we make to NAT or FW rules makes pfSense go totally haywire and it starts randomly blocking incoming WAN connections dropping them without any log or anything (incoming NAT-forwarded connections).

      2. The only error we see is the memory error for bogons v6 that is listed in the notifications area which is a known issue however checking FW states, memory utilization etc - everything is at the bottom 1-2% utilized.

      3. Nothing but nothing helps in this case other than rolling the FW back to a backup made before the interface changes. Only then are incoming WAN connections restored.

      4. Even on this backup - any minor change in rules or NAT again breaks the firewall and it blocks specific connections while others are allowed - again without any log or reason. Also - new rules are ignored and don't come into effect at all. We tried adding a NAT and FW rule and they simply don't have any effect.

      Nothing helps here. The firewall works only in the backed up snapshot and no modification can be introduced. Tried increasing state tables and firewall tables but nothing helps and also the gauge says only 1800 states are used out of 2M (!). Also tried to disable pfBlocker-generated rules to no avail too.

      THIS IS A CRITICAL ISSUE SINCE IT MEANS THE FIREWALL IS IGNORING RULES AND THIS MAY BE A SECURITY COMPROMISE !

      Anyone sharing the same pleasure ?

      1 Reply Last reply Reply Quote 0
      • I
        interconnect
        last edited by

        UPDATE:
        Turns out it was pfBlocker.
        Removed it and its rules and presto the firewall is back alive.

        Now the bug appears to be in pfSense since pfBlockers uses its APIs to set rules....

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.