identical rules-1 works, other doesn't, and other oddities

meem

Today i logged in to get my sonos controller working across VLANs, got as far as installing (but not configuring) PIMD, and noticed my internet wasn't working.

Through a process of elimination I ended up creating a new, but identical rule to the existing "allow outbound"... if the new rule was positioned higher, internet worked again, if disabled, no dice. I tried resetting states and even rebooting the firewall to no avail. If this isn't a bug what might cause this?
https://ibb.co/mSQcyrR

All the blocks were "default deny rule"

i'm still getting block messages from my bridged IOT network (IOTBridgeGrp interface group, comprising IOT, VLAN42, IOTBRIDGE), to the firewall on port 53, which was previously working - the rule is as follows-

 		0 /0 B
	intrnl_lans 	IPv4+6 TCP/UDP 	* 	* 	! This Firewall 	53 (DNS) 	* 	none 	  	silently block rogue DNS servers 

Sep 13 10:06:06 	IOTBRIDGE 	Default deny rule IPv4 (1000000103)  192.168.42.33:3028		192.168.42.1:53	UDP
Sep 13 10:06:06 	IOTBRIDGE 	Default deny rule IPv4 (1000000103)  192.168.42.18:4096		192.168.42.1:53	UDP
Sep 13 10:06:06 	IOTBRIDGE 	Default deny rule IPv4 (1000000103)  192.168.42.30:13299		192.168.42.1:53	UDP
Sep 13 10:06:06 	IOTBRIDGE 	Default deny rule IPv4 (1000000103)  192.168.42.30:9350	 192.168.42.1:53	UDP 

Does anybody know what's up here?

meem

my interface groups are configured as follows-

Interface Groups
Name 	Members 	Description 	Actions
IOTBRIDGEGroup 	IOT, VLAN42, IOTBRIDGE 	IOT Bridge Group 	
inet_out 	LAN, IOT, VLAN10, VLAN20, VLAN30, VLAN40, VLAN42, VLAN44, IOTBRIDGE, VLAN70… 	     	 groups allowed outbound internet access 	
pfblock_grps 	LAN, VLAN10, VLAN20, VLAN30, VLAN40, VLAN42, VLAN50 		Groups using PFBlocker 	
intrnl_lans 	LAN, IOT, OPT3, VLAN10, VLAN20, VLAN30, VLAN40, VLAN42, VLAN44, VLAN50, IOTBRIDGE… 			internal Lan groups 	

meem

I mentioned above that DNS from my IOTBridgeGroup wasn't working, despite the presence of my floating rule that allows the interface group "intrnl_lans" to port 53 tcp/udp only to the firewall.

I created the same firewall rule, but this time in the IOTBridgeGroup interface, and now DNS is working there.

My guest network (44) is also logging DNS failures (default deny)

Sep 13 10:45:36 	VLAN44 	Default deny rule IPv4 (1000000103) 	192.168.44.27:60360		192.168.44.1:53		UDP 

And, as expected, internet access doesn't work.
So, I create a firewall rule on VLAN44 to allow DNS to the server....

and now my IOTBridge DNS isn't working again.

 	Sep 13 10:50:19 	IOTBRIDGE 	Default deny rule IPv4 (1000000103) 	192.168.42.17:57061		192.168.42.1:53		UDP
	Sep 13 10:50:20 	IOTBRIDGE 	Default deny rule IPv4 (1000000103) 	192.168.42.17:57061		192.168.42.1:53		UDP
	Sep 13 10:50:20 	IOTBRIDGE 	Default deny rule IPv4 (1000000103) 	192.168.42.18:4096		192.168.42.1:53		UDP
	Sep 13 10:50:22 	IOTBRIDGE 	Default deny rule IPv4 (1000000103) 	192.168.42.17:57061		192.168.42.1:53		UDP 

I am tempted to switch back to not using floating rules, but am i just missing something obviously stupid here?

johnpoz

To be honest not exactly sure what your trying to do, since you don't show your interface rules, nor full rule sets, or even specifically is that floating or an interface?

If your trying to pass dns, your rules need to be udp and tcp.. The rules your showing are only tcp, and you don't even show what is in your alias, etc.. And from the description they sound like outbound rules.. You wouldn't use interface outbound rules to allow access to pfsense IPs for dns from devices behind pfsense.

Also if you want to make sure rules in floated are evaluated "first" you need to make sure quick is set on them. Which if that is your floating tab, they are not.