VLAN an Firewall rule not matching

interessierter

@johnpoz said in VLAN an Firewall rule not matching:

@interessierter yeah that there.. Well 2mil should be quite large, unless you have more aliases not showing?

non of my custom alias is showing. What should I set?

johnpoz

@interessierter what I would suggest is for testing turn off all your pfblocker aliases, since they can be large.. I would also turn off bogonV6 if you have that enabled. Also another one that can just be freaking huge.

I doubt that bypass firewall rules has anything to do with it.. Because I just set it, and still see my tables populated.. Even after filter reload. But unless you have specific use case for that - it shouldn't be enabled. It sure isn't enabled by default.. Not sure why you would of turned that on?

I would then do a filter reload - under status.. Do you see any errors on loading anything?

If your tables are not populated there is no way they could be used in rules..

interessierter

@johnpoz said in VLAN an Firewall rule not matching:

@interessierter what I would suggest is for testing turn off all your pfblocker aliases, since they can be large.. I would also turn off bogonV6 if you have that enabled. Also another one that can just be freaking huge.

I doubt that bypass firewall rules has anything to do with it.. Because I just set it, and still see my tables populated.. Even after filter reload. But unless you have specific use case for that - it shouldn't be enabled. It sure isn't enabled by default.. Not sure why you would of turned that on?

I would then do a filter reload - under status.. Do you see any errors on loading anything?

If your tables are not populated there is no way they could be used in rules..

I get this one at the end:

Loading filter rules
Setting up logging information
Setting up SCRUB information
There were error(s) loading the rules: /tmp/rules.debug:135: could not parse host specification - The line in question reads [135]: rdr pass on igb2 inet6 proto tcp from any to ::1010101 port 80 -> ::1 port 8081

johnpoz

@interessierter said in VLAN an Firewall rule not matching:

There were error(s) loading the rules: /tmp/rules.debug:135: could not parse host specification - The line in question reads [135]: rdr pass on igb2 inet6 proto tcp from any to ::1010101 port 80 -> ::1 port 8081

Oh and the plot thickens..

What specific rule is that?

interessierter

@johnpoz said in VLAN an Firewall rule not matching:

@interessierter said in VLAN an Firewall rule not matching:

There were error(s) loading the rules: /tmp/rules.debug:135: could not parse host specification - The line in question reads [135]: rdr pass on igb2 inet6 proto tcp from any to ::1010101 port 80 -> ::1 port 8081

Oh and the plot thickens..

What specific rule is that?

I guess we coming close. Today my Internet was working fine, after I removed and re-enabled the pfnblocker, my Internet was not working anymore. It seems like I deleted the DNS port rule from my lan last weekend, but it took now effect. Crazy

How to find out? I have no rule with 8081, and the normal Port 80 rule looks normal

johnpoz

@interessierter do you have your webgui on port 8081? I think there is a redirect for 80 to whatever the port is set too.

I have mine disabled.. But this was thing that came to mind that would redirect 80 like that.

interessierter

@johnpoz said in VLAN an Firewall rule not matching:

@interessierter do you have your webgui on port 8081? I think there is a redirect for 80 to whatever the port is set too.

I have mine disabled.. But this was thing that came to mind that would redirect 80 like that.

no on 81, but that is maybe reason for 8081? I wonder about 41MB in this rule:

johnpoz

@interessierter hmmm.. No your antilock out is what would allow you to talk to the gui, that should always show traffic ;) if your accessing the gui

I can not find any rule like that in my setup..

But I did find this
https://forum.netgate.com/topic/165000/error-loading-firewall-rules

and this
https://redmine.pfsense.org/issues/12330

interessierter

@johnpoz said in VLAN an Firewall rule not matching:

@interessierter hmmm.. No your antilock out is what would allow you to talk to the gui, that should always show traffic ;) if your accessing the gui

I can not find any rule like that in my setup..

But I did find this
https://forum.netgate.com/topic/165000/error-loading-firewall-rules

and this
https://redmine.pfsense.org/issues/12330

I have now disabled the IPv6 in DNSBL Blocker, and the error message in the reload filter is away but: There are still no Firewall alias listed, not a single one :)

interessierter

The firewall rules are now working and matching.

The alias is still not listed, but it's working as expected. Thanks for your help