LAN > WAN2 (OPT1) block logs after update from 1.2 to 1.2.2

jjdesch

Hi,

We just upgraded from 1.2 to 1.2.2 this morning.  I am seeing block entrys in the firewall log from LAN hosts going out the WAN2 interface (via a static route) that i never saw before the upgrade.  For example:

X Jan 13 09:28:23 LAN 192.168.20.131:3855 172.16.128.11:4600 TCP
  X Jan 13 09:28:23 LAN 192.168.20.131:3787 172.16.128.11:4600 TCP
  X Jan 13 09:27:35 LAN 192.168.20.131:3855 172.16.128.11:4600 TCP
  X Jan 13 09:27:35 LAN 192.168.20.131:3787 172.16.128.11:4600 TCP
  X Jan 13 09:27:11 LAN 192.168.20.131:3855 172.16.128.11:4600 TCP
  X Jan 13 09:27:11 LAN 192.168.20.131:3787 172.16.128.11:4600 TCP
  X Jan 13 09:26:59 LAN 192.168.20.131:3855 172.16.128.11:4600 TCP
  X Jan 13 09:26:59 LAN 192.168.20.131:3787 172.16.128.11:4600 TCP
  X Jan 13 09:26:47 LAN 192.168.20.131:3855 172.16.128.11:4600 TCP

It does not seem to be having a detrimental effect on communication to the 172.16.128.11 host, but this has me concerned.  i created a specific allow LAN rule to quiet this, but its does not seem to have any effect

Proto    Source              Port      Destination          Port    GW
*        192.168.20.0/24    *      SCLS172HOSTS      *        *    Allow Staff out WAN2 for Millennium

where SCLS172HOSTS is an alias for 5 different 172.x hosts.

Thx

otherwise, throughput and performance are up with this release

jjdesch

Anyone?  pfsense 1.2 was performing flawlessly without all these "false positive/default rule" block firewall entries I am now seeing in 1.2.2.

jjdesch

Here is an example of what i am seeing inbound from my wan2 (opt1-172.16.161.73) interface:

First the rule:

here is the log:

mikeisfly

I beleive you are having the same issue I'm having, the problem is that they are applying the same rules on LAN interfaces as the WAN interface without the ability to to turn it off (Block private networks). If you do an pftop from the command line you will see that they are blocking private IP range on the private side of the pfsense box without the ability to turn this off (You can turn off on WAN, but no other interface). It's purpose is the prevent spoofing but if you have an routed network on the same segment as your LAN this could be what you are seeing. The pfsense box should take routing tables in consideration when thinking about antispoofing, don't know if this is a design flaw or not. I know where the problem is I just don't know how to fix it.

jjdesch

I use a static route to forward all 172.X bound traffic out the WAN2 (opt1) interface to an off-site application server. All other Internet bound traffic defaults out WAN1.  Would the "static route filtering/Bypass firewall rules for traffic on the same interface" advanced option come into play here, or is that only used if you have multiple LAN subnets using the LAN interface as its GW.  Even though things seem to be working ok, i am seriously thinking about going back to 1.2 - is it possible to downgrade back, ir do we have to scrub the hardware and do a fresh install?

m3isp

Ive been trying to get help with this same issue for some time now. I hope you have better luck than I do since I was never able to get ANY assistance with it. If you look at the raw logs for you'll probably also notice that the rule it references for your blocked traffic does not exist in the config file.

Best Regards
M3

cmb

It was likely always there and you didn't notice it.  Looks like just the usual out of state traffic that gets blocked occasionally though that is more frequent than I would expect (though that depends on specifics of your network).