Backup firewall blocks all traffic that tries to get through it
-
My setup is as follows:
Primary and secondary firewall setup. Primary is synchronizing ALL selectable settings to the backup. Sync is working properly; any changes made on primary are reflected on the backup correctly.
When I temporarily disable CARP or reboot the primary, the backup becomes MASTER over the VIPs correctly. However, after it does so, it begins blocking all connections from all clients on the network out to the internet. The firewall logs say that the traffic blocked by "Default deny ipv4 rule". This happens with all destination ports like 80, 53, and 443 (even though 443 just happens to be the only thing shown in the image below)
Now, I've read this: https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F
However, that isn't the problem here. Things I've tried:
-Resetting all states on the backup and then trying to connect to a website again
-Creating a specific rule for my computer's IP address to pass all
-Moving the pass all rule to the top of the stack
-Using an Easy rule from the logs to pass the traffic.The only thing that solves the problem is failing back over to the primary. :( I have no packages installed on either of these; they're vanilla 2.3.2.
Any ideas?
-
It seem that the states aren't synchronized.
Do you have checked "synchronize states" in HA-setting? -
Yes, synchronize states is checked. I can't tell if they're making it over, but even if they aren't, shouldn't a device be able to open a new state through the backup?
-
You can check it by the number of states at the dashboard and check particular state in Diagnostic > States.
shouldn't a device be able to open a new state through the backup?
Yes, but only if a new connection is established. If you open a new connection it should also work on the second box.
-
Agreed which is what has me mystified. Devices are unable to establish new states and existing ones aren't functional.
What would you try next?
-
Is your hardware of both boxes identical? States are bound to the interfaces hardware name.
-
Is your hardware of both boxes identical? States are bound to the interfaces hardware name.
Yep, identical hardware. Power edge R200 boxes with an Intel Pro 1000 dual port NIC onboard.
No messages in the logs about failed syncs or anything.
-
You've got everything using the carp ip as the gateway, and all the outbound NAT using the carp?
-
Yep, everything is using the shared VIP as the GW. Outbound NAT uses it as well on the WAN side
-
The blocks in your screenshot above shows definitively out of state packets. If the second box is master and you establish a new connection, there must be logged an TCP:S flag if logging for the appropriate rule is on, otherwise the syn-packet goes not through this box.
I would try to disconnect the master box for testing.
-
Should I try pointing the gateway of a few clients at the "real" LAN IP address of the backup firewall?
-
For testing, you can do that.
But if the second is master and the other is disconnected from WAN and LAN, the second owns the CARP VIP and it should also work this way. -
Okay just tried that. The plot thickens.
Now the logs are reporting that the traffic being allowed. I also see traffic from my Windows DNS servesrs reaching out to Google's public resolvers being shown as "Passed". However, running nslookups and pinging anything that isn't LAN side isn't working :(
This is thoroughly mystifying. This was working only a week ago I believe.
