Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules are ignored after update to 2.5.1

    Firewalling
    3
    7
    729
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bladeinger
      last edited by

      Hi Guys,

      last Saturday we upgraded our pfsense box to 2.5.1.
      Today we realized, that all NAT and inbound rules are ignored and all the traffic is being blocked by the "Default deny rule IPv4 (1000000103)".
      Even if I click the button "Easy Rule: Pass this traffic" in the firewall log, this rule is ignored.
      No wonder, as this function only adds a rule, that already exists...
      What can be done to restore the expected behavior we had before the update?

      Thanks for any answer!

      Michael

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Bladeinger
        last edited by Gertjan

        NAT should work.
        That is, as long as your using multiple WAN's. See the many posts and redmine item about the issue.

        I'm using a single WAN setup on pfSense 2.5.1 CE and NAT works just fine.

        "Easy Rule: Pass this traffic

        NAT is two 'things', not one.
        It's a firewall rule, so traffic can enter the WAN interface
        and
        a "special" rule that re writes the destination IP from something that was the WAN IP to an address situated on one of the LAN's.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        S 1 Reply Last reply Reply Quote 0
        • B
          Bladeinger
          last edited by

          Hi Gertjan,

          thank you for your answer.
          I know how NAT works.

          But the interesting thing for me is, what to do to have the functionality back, that worked for years on this box before the update.

          Michael.

          1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @Gertjan
            last edited by

            @gertjan said in Firewall rules are ignored after update to 2.5.1:

            as long as your using multiple WAN's

            I think you meant, "as long as you're not using multiple WANs." :)

            Bug report Port forward rules only function through the default gateway interface, reply-to does not work for Multi-WAN (CE Only) and the release notes say it's fixed in 2.5.2 so @Bladeinger could try upgrading to the 2.5.2-RC release candidate or wait a bit for 2.5.2 to be released.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            B GertjanG 2 Replies Last reply Reply Quote 0
            • B
              Bladeinger @SteveITS
              last edited by

              Hi Steve,

              thank you very much for your answer.
              I will try the release candidate, as it's kind of urgent.

              I'll report back if the problem is resolved.

              Michael

              B 1 Reply Last reply Reply Quote 0
              • B
                Bladeinger @Bladeinger
                last edited by

                Ok, problem solved.

                As I am not a friend of using release candidates in a production environment, after reading the bug report I decided to solve the problem by changing the default gateway to the same interface on which the blocked packets reach the box.
                Immediately everything worked as it did before the update.

                I will leave it like this, until the official 2.5.2 is released.

                Thanks again Steve, for giving me this precious hint!

                Michael

                1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @SteveITS
                  last edited by

                  @steveits Yeah, the not is essential .... sorry about that.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.