Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Private traffic stops passing into WAN after applying rules change until reboot

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 1 Posters 375 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pstine
      last edited by pstine

      Big picture:
      Outside firewall - controlled by the PTBs
      Inside are two Class C public networks AND 10.228.0.0/15, 10.230.0.0/15 and other private subnet for additional connections - wireless network and others.

      My WAN connection exists in one of the Class C's and I have a pfsense box (well, two) keeping the rest of the organization (a loosely applied term) at bay.

      The PTB's route the organization's 10.228.0.0 etc traffic to internal public addresses without NAT. So, if a wireless user wants to access a publicly addressed web site that reside in one of the two class C's they just route the private network packets as is.

      My implementation blocked all private networks on the WAN interface. Then I get reports that some of our web sites can't be reached by folks using the wireless network. I do a little investigation and uncheck block private networks and bogons (for good measure) and add two rule at the top of my WAN rule stack, a la

      Allow IPV4 * MyPrivateNetworks * DMZ_net *
      Block IPV4 * RFC1918_Networks * * *

      --- rest of rules ---

      Test things and everyone is happy.

      The good part:

      Sometime (days, weeks?) later I get a call that the wireless users can no longer reach our websites. I check with my phone connected to our wireless networks and confirm. Anything wired (on the class C's, anything from outside the firewall), anything coming through the main firewall via VPN works fine. Only internal private networks.

      Try many things, reboot firewall and things start working.
      Hmmmm.

      I try some other things and discover that if I change ANYTHING in my rules, even re-order some of the lower rules for other interfaces, traffic from the private networks stops passing after I click Apply and won't start again until after a reboot.
      I started a 60 ping process with 2 second delay. Things are happy. Change the order of a couple rules in the LAN network. Click apply. Pings continue until the 60 ping package is complete. Then, I start a second run of pings and nothing passes from the private network, i.e. no response to my pings.

      All the other (non-private) network things continue to work fine.

      Any ideas?

      System Info:
      System Netgate XG-7100
      BIOS Vendor: coreboot
      Version: ADI_PLCC-01.00.00.11
      Release Date: Tue Jan 8 2019
      Version 2.4.4-RELEASE-p3 (amd64)
      built on Thu May 16 06:01:19 EDT 2019
      FreeBSD 11.2-RELEASE-p10
      The system is on the latest version.

      1 Reply Last reply Reply Quote 0
      • P
        pstine
        last edited by

        I noticed that when it stops passing the private traffic there is no indication in the system logs that the traffic is being blocked and the watch I put on traffic when it passes, no longer indicates any of this private traffic is passing.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.