21.02 - Killed NAT on one WAN interface

Gary 0

I will be the first person to say that I am stupid. So, we can get that out of the way.

Has anyone else seen this problem. I upgraded to version 21.02 and the NAT on one of the two WAN interfaces stopped working. The traffic get passed in and redirect directed to its destination on the LAN without any problem. The destination returns a reply. The LAN interface on the pfSense sees it. So far, so good. The next step would be for pfSense to send it out one the WAN interface but there is nothing when I watch this process with tcpdump. I see the traffic coming on the WAN, going out on the LAN, coming back on the LAN and then nothing...

Look at the /var/log/filter.log and /tmp/rules.debug. I found these two pieces of information.

Feb 22 17:24:15 halley filterlog[19225]: 9,,,1000000104,igb0,match,block,out,4,0x0,,63,0,0,DF,6,tcp,60,<DEST IP>,<SRC IP>,20122,43435,0,SAE,2144135778,4175742565,65535,,mss;nop;wscale;sackOK;TS

block out log inet all tracker 1000000104 label "Default deny rule IPv4"

Obviously, pfsense is executing the default deny rule but...

Why is it doing it on only one of the two WAN interfaces?
It was working for years with version 2.4.5. Why did the version 21.02 provoke this problem?

If anyone got any ideas, I would be interested. Putting in new NAT and firewalls has not solved the problem. Even adding a specific rule to pass all traffic to and from SRC and DEST addresses does work. It is like pfSense has lost track of this connection but it is indeed established in the state table.