Static routes - incorrect states problem

merlin

Hi,
I have PFsense box (LAN IP: 192.168.210.254) and a router in LAN with IP 192.168.210.3 which is router for net 192.168.250.0. I addedd static route on pfsense  and tried to ping IP 192.168.250.2. Ping works fine. But when I tried to make telnet to the same box, session was established and works, but after 30 seconds session drops (but ping still works!).

According to PFsense connection is not established:

Diagnostics: Show States 
Proto  Source -> Router -> Destination  State 
tcp 192.168.250.2:23 <- 192.168.210.49:63237 CLOSED:SYN_SENT
tcp 192.168.210.49:63237 -> 192.168.250.2:23 SYN_SENT:CLOSED

But according to Windows everything is fine (and really it is because I can work for aprox 30 sec :-)
C:>netstat -n
Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    192.168.210.49:63237  192.168.250.2:23      ESTABLISHED

For some strange reason pfSense block? the trafic:

Diagnostics: System logs: Firewall
Act  Time  If  Source  Destination  Proto
block Jul 24 18:50:37 LAN 192.168.210.49:63237 192.168.250.2:23 TCP:

But I have rule (the only rule for LAN) to pass everything on LAN:

• <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os>- <source>
    <any>- <destination><any></any></destination>
    <descr>Pass anything</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>

I tried to enable  "Bypass firewall rules for traffic on the same interface" but didn't help (everything is the same - session drop after 30 sec, sockets in SYN_SENT state according to  pfSense, firewall block traffic).

Any ideas what can be the problem?

cmb

You need to enable the "bypass firewall rules" option you mentioned. It's possible that was broken with some of the interface changes or related changes that went in, post your /tmp/rules.debug after you enable that.

merlin

Thank you for the idea to look at rules.debug. I forgot that 2.0 is still alpha :-)

Well.. actually there are two bugs I found.
First one in file /etc/inc/filter.inc:

/*  pass traffic between statically routed subnets and the subnet on the
        *  interface in question to avoid problems with complicated routing
        *  topologies
        */
        if (isset($config['[color=red]system']['bypassstaticroutes']) && is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) {

should be:
  if (isset($config['[color=green]filter']['bypassstaticroutes']) && is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) {

The second problem is with  function guess_interface_from_ip (located in /etc/interfaces.inc). The function returns interface name PLUS trailing new-line.

The original:
function guess_interface_from_ip($ipaddress) {
        $ret = /usr/bin/netstat -rn | /usr/bin/awk '/^{$ipaddress}/ {print \$6}';

and my quick fix:
function guess_interface_from_ip($ipaddress) {
        $ret = /usr/bin/netstat -rn | /usr/bin/awk '/^{$ipaddress}/ {printf "%s", \$6}';

Now everything works fine.
I hope the changes will be applied to next revision.

regards,
Merlin

PS: I forgot to mention that I'm using PFSense 2.0 Alpha/FreeBSD 7.2

eri--

Merged in the source.
Thank you.