Private traffic stops passing into WAN after applying rules change until reboot


  • Big picture:
    Outside firewall - controlled by the PTBs
    Inside are two Class C public networks AND 10.228.0.0/15, 10.230.0.0/15 and other private subnet for additional connections - wireless network and others.

    My WAN connection exists in one of the Class C's and I have a pfsense box (well, two) keeping the rest of the organization (a loosely applied term) at bay.

    The PTB's route the organization's 10.228.0.0 etc traffic to internal public addresses without NAT. So, if a wireless user wants to access a publicly addressed web site that reside in one of the two class C's they just route the private network packets as is.

    My implementation blocked all private networks on the WAN interface. Then I get reports that some of our web sites can't be reached by folks using the wireless network. I do a little investigation and uncheck block private networks and bogons (for good measure) and add two rule at the top of my WAN rule stack, a la

    Allow IPV4 * MyPrivateNetworks * DMZ_net *
    Block IPV4 * RFC1918_Networks * * *

    --- rest of rules ---

    Test things and everyone is happy.

    The good part:

    Sometime (days, weeks?) later I get a call that the wireless users can no longer reach our websites. I check with my phone connected to our wireless networks and confirm. Anything wired (on the class C's, anything from outside the firewall), anything coming through the main firewall via VPN works fine. Only internal private networks.

    Try many things, reboot firewall and things start working.
    Hmmmm.

    I try some other things and discover that if I change ANYTHING in my rules, even re-order some of the lower rules for other interfaces, traffic from the private networks stops passing after I click Apply and won't start again until after a reboot.
    I started a 60 ping process with 2 second delay. Things are happy. Change the order of a couple rules in the LAN network. Click apply. Pings continue until the 60 ping package is complete. Then, I start a second run of pings and nothing passes from the private network, i.e. no response to my pings.

    All the other (non-private) network things continue to work fine.

    Any ideas?

    System Info:
    System Netgate XG-7100
    BIOS Vendor: coreboot
    Version: ADI_PLCC-01.00.00.11
    Release Date: Tue Jan 8 2019
    Version 2.4.4-RELEASE-p3 (amd64)
    built on Thu May 16 06:01:19 EDT 2019
    FreeBSD 11.2-RELEASE-p10
    The system is on the latest version.


  • I noticed that when it stops passing the private traffic there is no indication in the system logs that the traffic is being blocked and the watch I put on traffic when it passes, no longer indicates any of this private traffic is passing.