Anti-spoofing rule blocking all traffic



  • TL;DR - WAN IP and WAN gateway IP are the same which is causing all traffic to be blocked by the anti spoofing rule (1000001570). How do I stop this or turn off that rule?!

    Hi, I am new to pfsense and in setting up a new router I have run into some issues.

    This is a simple home set up; I have an ADSL connection over PPPoA to my ISP (Sky Broadband, UK). I have tried PPPoE and it doesn't connect. My Billion 8800NL R2 is set up in half bridge mode (http://www.broadbandbuyer.co.uk/features/2423-how-to-set-up-a-billion-bipac-8800nl-in-ppp-half-bridge-mode/) which passes the PPPoA WAN IP (I'll use the example of 123.123.123.123) from the modem to the router through a DHCP assignment. A fresh install of pfsense on an old P4 PC has its WAN interface connected to the Billion modem and picks up the WAN IP address from the modem DHCP assignment. The router LAN interface is connected to the rest of my home network through a switch.

    I have set up and tested the modem in this half bridge mode with a computer connected directly to it and I can access the internet successfully (albeit without a firewall).

    My problem is that after setting up the pfsense box, adding LAN firewall rules to allow traffic out I still cannot access the internet from either the LAN or the pfsense box Diagnostic>Ping menu. I can access the LAN interface on the router correctly for another device on the LAN and the WAN has the correct 123.123.123.123 IP address however the firewall logs show that every packet is blocked by rule 100001570, the anti spoofing rule. All the log entries are for the WAN interface with the source as the WAN IP and the destination as whatever the destination internet IP address is. For example if I ping 8.8.8.8 my log entries show a packet originating from 123.123.123.123 to 8.8.8.8 having been blocked by rule 1000001570.

    Having spent a few hours last night with the very helpful people on the ##pfsense IRC I realised that my WAN IP address is the same as my WAN gateway address. As I understand it this means that outgoing traffic on the WAN interface will be directed back to the WAN interface which is why the firewall is blocking it. I’ve contacted Billion and they tested another router in the same configuration which gave the same result, with the WAN IP and gateway as the same IP address, so this seem to be expected behaviour.

    What I don’t understand is how traffic gets out when a computer is directly attached to the modem. Surely the packets are sent to the gateway address, in other words itself, so how do they ever get out to the wider internet? I checked and the gateway is the WAN IP address in that configuration too. As you can see I’m no networking expert and any help with this would be appreciated. The only solution I see at the moment is somehow disabling the 1000001570 anti-spoofing rule and hoping that fixes the problem.

    Sorry for the long post but I wanted to give you all the details of the set up.



  • No two devices should have the same IP address unless they're part of some High Availability setup.


  • LAYER 8 Netgate

    And even then not on two different interfaces.


Log in to reply