Strange Problem plz help
-
I am facing a strange problem in pfsense.
Problem i am facing is that rules doesn't work unless pfsense reboots also routing b/w various lan in pfsense is not working. I made a rule for one ip to use particular gateway, few days back when you click on apply changes the this rule starts working immediately but now we have to restart the firewall in order this rules works. This happen few months back also which is rectified after i update the pfsense. But now no update is available so problem remains there. Can some body tell me what is the exact problem and how to rectify it. -
@mohitsofat said in Strange Problem plz help:
Can some body tell me what is the exact problem and how to rectify it.
Not without more details..
Keep in mind when you change a rule, or add a rule - if states exist for whatever traffic your creating a rule already. You need to clear that existing state for that traffic.
If you want to force IP 192.168.1.100 out a specific gateway, and it had a state going out a different gateway. You have to clear the state for 192.168.1.100 going out the old gateway before rule will with force a new state.
Or you need to wait til that state expires or is closed by the clients using it.
-
Yes, probably just an existing open state you will need to clear or wait to timeout.
However also try reloading the ruleset in Status > Filter Reload. Make sure it loads cleanly without returning any errors.
Steve
-
Thanks for the Prompt Reply.
I have done all the things i.e. kill all states and even restart the box. Still its pointing to the same gateway. i am attaching screen shots of my rule and gateway selected is 2nd one but when i check tracert and my public ip over the net its pointing to my 1st gateway. -
Don't really need to see 1 rule - need to see all the rules on this interface. And if you have any floating rules.
Rules are evaluated top down, first rule to trigger wins no other rules evaluated. You could have a rule that send its out default above your gateway rule.. Then no never going to use that gateway..
-
Yup, need to see all the rules.
Though traceroute will never match that rule as it uses UDP or ICMP and that rule is TCP only.
Steve
-
@stephenw10 good catch - didn't really even bother looking at the rule to be honest ;) need the interfaces rules, and need to know if anything on floating.
Another thing that can come up when trying to policy route - is if you have existing state sending it out the other gateway.
you "can" do a tcp traceroute - but not part default traceroute tool ;)
https://linux.die.net/man/1/tcptraceroute -
@johnpoz said in Strange Problem plz help:
you "can" do a tcp traceroute - but not part default traceroute tool ;)
Or maybe this, although I haven't used it yet, I'm looking at it now and this is what I see:
"By default, MTR sends ICMP echo request packets and uses the ICMP time exceeded error message to determine the devices in the path between source and destination. However, some devices filter ICMP packets causing MTR not to report properly. One way around this is to change the way MTR works. Instead of sending ICMP, you can configure MTR to send UDP, TCP, or even SCTP (Stream Control Transmission Protocol) packets. You can also specify the port you want it to send to."
Orig: https://www.bitwizard.nl/mtr/
https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-mtr-nox11
installable package: mtr-nox11 0.85.6_2
-
Yup, it's possible to use TCP. I was more pointing out that rule is set to TCP and that's probably unintentional.
I doubt that's the issue though since OP says he's checking his pubic IP which I assume is via ipchicken or similar. That would be TCP anyway.Steve