[SOLVED] Changed LAN now have Firewall TCP:SA issues



  • Hello all, already followed all the troubleshooting steps I found at https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules and the problem still exists so I am hoping someone here can help.

    I recently went into Interfaces > LAN1 and changed the CIDR notation from 24 to 23 in order to double the number of IP addresses on LAN1. I did not change the static IPv4 address for LAN1 which remains at 192.168.0.1.

    I then went to Services > DHCP Server > LAN1 and changed the range from 192.168.0.30 to 192.168.0.150 to instead be 192.168.1.30 to 192.168.1.150. I confirmed that the Subnet is now 192.168.0.0, Subnet mask is now 255.255.254.0, and available range now shows 192.168.0.1 - 192.168.1.254.

    I then went to Firewall > NAT > Outbound and updated each mapping pertaining to source 192.168.0.0/24 so that source was now 192.168.0.0/23.

    All clients having an IP address between 192.168.0.2 - 192.168.0.254 work as expected; however, any client using an address received via DHCP in the new range of 192.168.1.30 - 192.168.1.150 cannot access any of the clients in the original network range of 192.168.0.2 - 192.168.0.254.

    Here is what appears in the firewall log:
    Mar 9 12:31:12 LAN1 192.168.0.7:443 192.168.1.58:49694 TCP:SA
    Mar 9 12:31:12 LAN1 192.168.0.7:443 192.168.1.58:49695 TCP:SA

    Since the steps to fix TCP:SA issues listed on the above website did not work, does anyone have any ideas what I did wrong and how to fix it? My only goal is to increase the range of IP addresses available on our LAN.

    Thanks in advance!



  • Never mind everybody.

    This was just bad luck of the draw on my part. Had I tried connecting to anyone of our other servers instead of always testing to the same one (i.e., 192.168.0.7), I would have figured it out sooner.

    The system that I was trying to connect to (i.e., 192.168.0.7) simply wasn't updating it's network configuration. It still believed the old subnet mask was 255.255.255.0 instead of 255.255.254.0. A complete restart fixed it and I am not having problems connecting to any of our other servers as they all know the updated network details.

    Thanks.