Firewall rules are ignored after update to 2.5.1
-
Hi Guys,
last Saturday we upgraded our pfsense box to 2.5.1.
Today we realized, that all NAT and inbound rules are ignored and all the traffic is being blocked by the "Default deny rule IPv4 (1000000103)".
Even if I click the button "Easy Rule: Pass this traffic" in the firewall log, this rule is ignored.
No wonder, as this function only adds a rule, that already exists...
What can be done to restore the expected behavior we had before the update?Thanks for any answer!
Michael
-
NAT should work.
That is, as long as your using multiple WAN's. See the many posts and redmine item about the issue.I'm using a single WAN setup on pfSense 2.5.1 CE and NAT works just fine.
"Easy Rule: Pass this traffic
NAT is two 'things', not one.
It's a firewall rule, so traffic can enter the WAN interface
and
a "special" rule that re writes the destination IP from something that was the WAN IP to an address situated on one of the LAN's. -
Hi Gertjan,
thank you for your answer.
I know how NAT works.But the interesting thing for me is, what to do to have the functionality back, that worked for years on this box before the update.
Michael.
-
@gertjan said in Firewall rules are ignored after update to 2.5.1:
as long as your using multiple WAN's
I think you meant, "as long as you're not using multiple WANs." :)
Bug report Port forward rules only function through the default gateway interface,
reply-todoes not work for Multi-WAN (CE Only) and the release notes say it's fixed in 2.5.2 so @Bladeinger could try upgrading to the 2.5.2-RC release candidate or wait a bit for 2.5.2 to be released.Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
Hi Steve,
thank you very much for your answer.
I will try the release candidate, as it's kind of urgent.I'll report back if the problem is resolved.
Michael
-
Ok, problem solved.
As I am not a friend of using release candidates in a production environment, after reading the bug report I decided to solve the problem by changing the default gateway to the same interface on which the blocked packets reach the box.
Immediately everything worked as it did before the update.I will leave it like this, until the official 2.5.2 is released.
Thanks again Steve, for giving me this precious hint!
Michael
-
@steveits Yeah, the not is essential .... sorry about that.
