Static routes - incorrect states problem



  • Hi,
    I have PFsense box (LAN IP: 192.168.210.254) and a router in LAN with IP 192.168.210.3 which is router for net 192.168.250.0. I addedd static route on pfsense  and tried to ping IP 192.168.250.2. Ping works fine. But when I tried to make telnet to the same box, session was established and works, but after 30 seconds session drops (but ping still works!).

    According to PFsense connection is not established:

    Diagnostics: Show States 
    Proto  Source -> Router -> Destination  State 
    tcp 192.168.250.2:23 <- 192.168.210.49:63237 CLOSED:SYN_SENT
    tcp 192.168.210.49:63237 -> 192.168.250.2:23 SYN_SENT:CLOSED

    But according to Windows everything is fine (and really it is because I can work for aprox 30 sec :-)
    C:>netstat -n
    Active Connections
      Proto  Local Address          Foreign Address        State
      TCP    192.168.210.49:63237  192.168.250.2:23      ESTABLISHED

    For some strange reason pfSense block? the trafic:

    Diagnostics: System logs: Firewall
    Act  Time  If  Source  Destination  Proto
    block Jul 24 18:50:37 LAN 192.168.210.49:63237 192.168.250.2:23 TCP:

    But I have rule (the only rule for LAN) to pass everything on LAN:

    • <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os>- <source>
        <any>- <destination><any></any></destination>
        <descr>Pass anything</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>

    I tried to enable  "Bypass firewall rules for traffic on the same interface" but didn't help (everything is the same - session drop after 30 sec, sockets in SYN_SENT state according to  pfSense, firewall block traffic).

    Any ideas what can be the problem?



  • You need to enable the "bypass firewall rules" option you mentioned. It's possible that was broken with some of the interface changes or related changes that went in, post your /tmp/rules.debug after you enable that.



  • Thank you for the idea to look at rules.debug. I forgot that 2.0 is still alpha :-)

    Well.. actually there are two bugs I found.
    First one in file /etc/inc/filter.inc:

    /*  pass traffic between statically routed subnets and the subnet on the
            *  interface in question to avoid problems with complicated routing
            *  topologies
            */
            if (isset($config['[color=red]system']['bypassstaticroutes']) && is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) {

    should be:
      if (isset($config['[color=green]filter']['bypassstaticroutes']) && is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) {

    The second problem is with  function guess_interface_from_ip (located in /etc/interfaces.inc). The function returns interface name PLUS trailing new-line.

    The original:
    function guess_interface_from_ip($ipaddress) {
            $ret = /usr/bin/netstat -rn | /usr/bin/awk '/^{$ipaddress}/ {print \$6}';

    and my quick fix:
    function guess_interface_from_ip($ipaddress) {
            $ret = /usr/bin/netstat -rn | /usr/bin/awk '/^{$ipaddress}/ {printf "%s", \$6}';

    Now everything works fine.
    I hope the changes will be applied to next revision.

    regards,
    Merlin

    PS: I forgot to mention that I'm using PFSense 2.0 Alpha/FreeBSD 7.2



  • Merged in the source.
    Thank you.


Log in to reply