Is there a Reason why some Firewall rules are delayed?



  • Hello.

    I recently added a Virtual IP for our email server and completed the NAT port forward configuration, but in this configuration I made a mistake and the internal port number was different from the external port number. Unfortunately, I caught this mistake only after all rules where "applied" and discovered I was unable to reach the webmail page which is set to http port 80.

    I made the corrections where necessary, as in the NAT Port Forward page and the related Firewall rules, however I still could not open the Webmail page using the external IP Address.

    At this point, I cleared all entries related to the Virtual IP, NAT Port Forward, and Firewall rules…rebooted PFSense and started again from scratch.

    This time instead of using Virtual IP, I opted for Nat Port forward with auto create firewall rule and "Applied" all.

    I was still unable to connect and waited some time with no joy as I re-tried. I then rebooted PFsense and left the crime scene.

    Some four hours later, I able to connect to our webmail no problem.

    I am wondering if there is a step I missed? Should I have cleared the firewall state tables? Would this have helped?  Is this behavior "normal" for PFsense and access under secure HTTP is very slow to load pages...is this also normal?

    I am asking for help to answer these questions, I would be grateful as this would help towards an additional manual for PFsense simple firewall configuration.  As Vyatta has excellent documentation, there is no reason whatsoever why PFsense, community based at that, cannot have the same and updated frequently at that.

    Thanks again for your help.



  • After you press the apply you see the message:
    "The settings have been applied. The firewall rules are now reloading in the background. You can also monitor the reload progress."
    Have you ever clicked the "monitor" link it provides?
    Depending on your hardware and how complex and extensive your rules are it can take quite a while until all the rules are rebuilt and actually loaded.



  • okay. Thank You.

    The rules are not complex at this point and the hardware is a Dell R300 with 2GB RAM, 15k RPM hard drives, quadcore AMD processor. I am now wondering if I selected the wrong processor during install. Though there is a single processor, I selected multiple processor because the processor is a multicore processor. Is this wrong?


  • Rebel Alliance Developer Netgate

    It may also be that there is an existing firewall state for the connection you are trying to block. An existing state from a previous allow rule will still allow traffic even if there is a new block rule.

    The state must first expire, or be cleared, then the rule will work for that connection.

    Other, new connections should be blocked by the rule.


Log in to reply