identical rules-1 works, other doesn't, and other oddities
-
Today i logged in to get my sonos controller working across VLANs, got as far as installing (but not configuring) PIMD, and noticed my internet wasn't working.
Through a process of elimination I ended up creating a new, but identical rule to the existing "allow outbound"... if the new rule was positioned higher, internet worked again, if disabled, no dice. I tried resetting states and even rebooting the firewall to no avail. If this isn't a bug what might cause this?
https://ibb.co/mSQcyrRAll the blocks were "default deny rule"
i'm still getting block messages from my bridged IOT network (IOTBridgeGrp interface group, comprising IOT, VLAN42, IOTBRIDGE), to the firewall on port 53, which was previously working - the rule is as follows-
0 /0 B intrnl_lans IPv4+6 TCP/UDP * * ! This Firewall 53 (DNS) * none silently block rogue DNS servers
Sep 13 10:06:06 IOTBRIDGE Default deny rule IPv4 (1000000103) 192.168.42.33:3028 192.168.42.1:53 UDP Sep 13 10:06:06 IOTBRIDGE Default deny rule IPv4 (1000000103) 192.168.42.18:4096 192.168.42.1:53 UDP Sep 13 10:06:06 IOTBRIDGE Default deny rule IPv4 (1000000103) 192.168.42.30:13299 192.168.42.1:53 UDP Sep 13 10:06:06 IOTBRIDGE Default deny rule IPv4 (1000000103) 192.168.42.30:9350 192.168.42.1:53 UDP
Does anybody know what's up here?
-
my interface groups are configured as follows-
Interface Groups Name Members Description Actions IOTBRIDGEGroup IOT, VLAN42, IOTBRIDGE IOT Bridge Group inet_out LAN, IOT, VLAN10, VLAN20, VLAN30, VLAN40, VLAN42, VLAN44, IOTBRIDGE, VLAN70… groups allowed outbound internet access pfblock_grps LAN, VLAN10, VLAN20, VLAN30, VLAN40, VLAN42, VLAN50 Groups using PFBlocker intrnl_lans LAN, IOT, OPT3, VLAN10, VLAN20, VLAN30, VLAN40, VLAN42, VLAN44, VLAN50, IOTBRIDGE… internal Lan groups
-
I mentioned above that DNS from my IOTBridgeGroup wasn't working, despite the presence of my floating rule that allows the interface group "intrnl_lans" to port 53 tcp/udp only to the firewall.
I created the same firewall rule, but this time in the IOTBridgeGroup interface, and now DNS is working there.
My guest network (44) is also logging DNS failures (default deny)
Sep 13 10:45:36 VLAN44 Default deny rule IPv4 (1000000103) 192.168.44.27:60360 192.168.44.1:53 UDP
And, as expected, internet access doesn't work.
So, I create a firewall rule on VLAN44 to allow DNS to the server....and now my IOTBridge DNS isn't working again.
Sep 13 10:50:19 IOTBRIDGE Default deny rule IPv4 (1000000103) 192.168.42.17:57061 192.168.42.1:53 UDP Sep 13 10:50:20 IOTBRIDGE Default deny rule IPv4 (1000000103) 192.168.42.17:57061 192.168.42.1:53 UDP Sep 13 10:50:20 IOTBRIDGE Default deny rule IPv4 (1000000103) 192.168.42.18:4096 192.168.42.1:53 UDP Sep 13 10:50:22 IOTBRIDGE Default deny rule IPv4 (1000000103) 192.168.42.17:57061 192.168.42.1:53 UDP
I am tempted to switch back to not using floating rules, but am i just missing something obviously stupid here?
-
To be honest not exactly sure what your trying to do, since you don't show your interface rules, nor full rule sets, or even specifically is that floating or an interface?
If your trying to pass dns, your rules need to be udp and tcp.. The rules your showing are only tcp, and you don't even show what is in your alias, etc.. And from the description they sound like outbound rules.. You wouldn't use interface outbound rules to allow access to pfsense IPs for dns from devices behind pfsense.
Also if you want to make sure rules in floated are evaluated "first" you need to make sure quick is set on them. Which if that is your floating tab, they are not.