Only first rule and only first network in alias gets respected in rule



  • Hello guys,

    long time user / first time poster..

    I have been using PFSense for years now, never had a problem like this.

    I have an allow rule, lets say from an alias for the network 192.168.47.0/24 to an alias for 10.10.0.0/16. For debugging purposes is am currently down to allow any protocol, any port.

    Some packets to a host in 10.10.5.0/24 get "lost", logs show them as passed, but they do not come out on the other end.
    If i change my alias to point to 10.10.5.0/24, all is well and all packets arrive on the other side. If i add another network to the alias, say 10.10.4.0/24, all is well. If i change the order in the alias to put 10.10.4.0/24 first and 10.10.5.0/24 second, packets again get "lost" to 10.10.5.0/24 but it works for 10.10.4.0/24.

    I say lost because as far as the logs are concerned they get passed, but the application no longer shows the correct information.

    So currently i can "make it work", but only for one of five possible networks (10.10.1.0/24 to 10.10.5.0/24), since the rule has to be first, can not contain the networks as /16 and can not contain more than one network in the alias.

    I have turned off any and all hardware offload, i have set "clear invalid DF bits instead of dropping", i have disabled scrubbing.

    I see UDP packets in my log without a port, which get passed.

    There is no NAT on either interface.

    I am totally lost where to start searching for the problem.



  • Oh. Putting any other allow rule in front of this magic rule also makes it not work anymore, even if i just copy the rule and create a second one for 10.10.2.0/24.



  • Show your firewall rules.



  • i hope i have the file you wanted.

    replaced some things with

    %s#foo#bar#g

    to protect the innocent, but i think the file should still be correct otherwise.

    Thanks for taking a look!

    pfsense_rules.txt


  • LAYER 8 Global Moderator

    "i hope i have the file you wanted."

    dude just post up screenshots - its so much easier and quicker to read..



  • I personally don't see how you can help with only that, but sure..

    Changing the order of these two rules switches which one works, even though both are pretty much "allow all" rules.

    ViprinetMichael is 10.10.5.0/24, ViprinetElke is 10.10.4.0/24.

    ![Bildschirmfoto 2016-12-02 um 14.57.19 1.png](/public/imported_attachments/1/Bildschirmfoto 2016-12-02 um 14.57.19 1.png)
    ![Bildschirmfoto 2016-12-02 um 14.57.19 1.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2016-12-02 um 14.57.19 1.png_thumb)



  • In case you suspect another rule at the end which interferes.

    Yes, the rules are wide open.. i'm trying to get this thing to work, then i can close the ports down again, i am at a total loss why this is happening.

    ![Bildschirmfoto 2016-12-02 um 15.05.07.png](/public/imported_attachments/1/Bildschirmfoto 2016-12-02 um 15.05.07.png)
    ![Bildschirmfoto 2016-12-02 um 15.05.07.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2016-12-02 um 15.05.07.png_thumb)


  • LAYER 8 Global Moderator

    What exacty are you trying to do do? Your rules are all pointless since at the bottom you have a any any.. And all those rules are allow.  What exactly do you expect to happen?

    Rules are evaluated top down, first rule to trigger wins. No other rules are looked at.

    So what do you want your rules to do, and we can help you write them.

    But yeah those rules are pointless.  Your not even logging anything other than the last rule, which will never get hit if any of the rules above it trigger.

    If that is the only stuff you want to allow, then you need to put a deny at the end, or remove the last allow so the default deny rule blocks anything that is not allowed on your list.  But again first rule to match wins, and you stop looking at rules below.  So once you hit an allow or a block you don't look at the rest of the rules.



  • An yet, the traffic still gets denied / does not come out the other side.

    That is exactly my point, the first two rules - even though they are allow everything - can change which network the traffic flows to correctly.

    Only the first rule gets respected, if i switch places between rule one and rule two, i can switch which network can access the application correctly.

    Or, if i put another rule in first place and put multiple /24 networks into an alias, then only the first of those networks in the alias gets the complete traffic. Here i can also change which network "works" by changing the order inside of the alias.

    The other rules are me banging my head against a wall, trying to find where / why / how traffic gets rejected because it does not make sense. So to try and get the application working for more than one /24 network i have tried every possible combination of allowing traffic.

    The logging partially makes sense, because sometimes i see packets logged (UDP) without a port.. i am guessing that has something to do with my problem.

    Also, pfsense does not log that it is denying anything - packets just don't get passed to the client on the other side unless the first rule on that vlan is for him.


  • LAYER 8 Global Moderator

    What is the traffic that is getting rejected.. Post up your firewall logs - if I had to guess you have some asymmetrical issue so your traffic that is being blocked it out of state..

    Post a drawing of your network so we know what we are working with.  And what are in these aliases..

    How does a rule with the same alias as the source and dest ever make sense??  Your rule there with phonenetworks as source to dest phonenetworks??  How/When would that ever be used?  Pfsense has nothing to do with traffic on the same broadcast domain.. Unless your bridging??  And some of the devices are on side and other on the other side.

    But for example without even knowing what is in that alias, since its the same there is going to be A.. So your rules says allow A to talk to A..  There would be zero point to such a rule.. Since A sure and the hell does not need to talk to pfsense to talk to itself ;)

    You don't list any rules sending traffic out a specific gateway, etc.  Do you have any rules in floating?  What are the rules on the other interfaces.  What direction are you initiating traffic?

    Do you have a downstream router in place? What specific interface are those rules on?  More than happy to help you figure out what your doing wrong.  Please post a drawing of your network and what interface those rules are on and such..  What exactly are you trying to accomplish.  Since you have no gateways specific set, nor sending specific sort of traffic to a queue and your last rule is any any, and all the rules above are allow they are all completely pointless.  The only rule that should be on that interface is your last any any.


Log in to reply