Port forwarding not working, possible reply-to issue?

  • Hi folks,
    I am trying to set up port forwarding on a multi wan setup.
    I had it working some months ago but after updates it is not working any more.
    The traffic is passed inbound correctly and the TCP SYN ACK from the local machine arrives at the LAN interface.
    It will however not pass back through the appropriate WAN interface.

    How can i debug this further? It seems like the firewall does not know what to do with the response.
    reply-to is not disabled globally or per rule.
    I was unable to replicate this issue on a fresh install inside virtual box...

  • You may use Packet Capture from the Diagnostic menu to check if the responses are sent out on the wrong WAN interface.

    reply-to requires that the fitler rule which allows the inbound traffic is neither a floating rule nor it is defined on an interface group.
    So check the filter log to determine which rule allows the access.
    Maybe you've added a floating rule in the past which matches the packets.

  • The traffic wasn't leaving on any interface.
    It turned out there was no default route in the route table.
    I changed the default gateway from the failover group to a specific one and a default route was created.
    Changed it back to the failover group and the default route stayed.

    I found this https://redmine.pfsense.org/issues/9004 because I'm still on 2.4.4_2 (didn't see the update notification because the firewall couldn't reach the servers to check....)

    What an annoying bug.

