Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    [SOLVED] Changed LAN now have Firewall TCP:SA issues

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 1 Posters 420 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      rin_tinn
      last edited by

      Hello all, already followed all the troubleshooting steps I found at https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules and the problem still exists so I am hoping someone here can help.

      I recently went into Interfaces > LAN1 and changed the CIDR notation from 24 to 23 in order to double the number of IP addresses on LAN1. I did not change the static IPv4 address for LAN1 which remains at 192.168.0.1.

      I then went to Services > DHCP Server > LAN1 and changed the range from 192.168.0.30 to 192.168.0.150 to instead be 192.168.1.30 to 192.168.1.150. I confirmed that the Subnet is now 192.168.0.0, Subnet mask is now 255.255.254.0, and available range now shows 192.168.0.1 - 192.168.1.254.

      I then went to Firewall > NAT > Outbound and updated each mapping pertaining to source 192.168.0.0/24 so that source was now 192.168.0.0/23.

      All clients having an IP address between 192.168.0.2 - 192.168.0.254 work as expected; however, any client using an address received via DHCP in the new range of 192.168.1.30 - 192.168.1.150 cannot access any of the clients in the original network range of 192.168.0.2 - 192.168.0.254.

      Here is what appears in the firewall log:
      Mar 9 12:31:12 LAN1 192.168.0.7:443 192.168.1.58:49694 TCP:SA
      Mar 9 12:31:12 LAN1 192.168.0.7:443 192.168.1.58:49695 TCP:SA

      Since the steps to fix TCP:SA issues listed on the above website did not work, does anyone have any ideas what I did wrong and how to fix it? My only goal is to increase the range of IP addresses available on our LAN.

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • R Offline
        rin_tinn
        last edited by

        Never mind everybody.

        This was just bad luck of the draw on my part. Had I tried connecting to anyone of our other servers instead of always testing to the same one (i.e., 192.168.0.7), I would have figured it out sooner.

        The system that I was trying to connect to (i.e., 192.168.0.7) simply wasn't updating it's network configuration. It still believed the old subnet mask was 255.255.255.0 instead of 255.255.254.0. A complete restart fixed it and I am not having problems connecting to any of our other servers as they all know the updated network details.

        Thanks.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.