Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] How to work around issues steming from the new interface bound state policy?

    Scheduled Pinned Locked Moved Plus 24.03 Development Snapshots (Retired)
    3 Posts 2 Posters 618 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pst
      last edited by pst

      My LAN setup does not play well with the new interface bound state policy and I would like to know how to work around this for a specific scenario.

      Note: I tried reverting back to floating rules and everything is working fine, as it did back with 23.09.1.

      My problem scenario:

      My TV streaming stick is on VLAN60 and needs to access a NAS which is not on VLAN60. The NAS is accessible through LAN, VLAN10 and VLAN20 and I have the stick currently configured to access though the LAN subnet.

      Packet tracing shows the TCP SYN sent correctly from the stick to the NAS but the TCP ACK is sent back on VLAN20 and ends up rejected. The reason why the NAS is sending it back on VLAN20 is probably (I'm guessing here) because the default gateway is configured to be the VLAN20 gateway.

      I have tried to fix the issue by changing the the state policy rule to floating on the LAN rule allowing the VLAN60 traffic to pass, and on the VLAN20 rule allowing LAN traffic to pass to VLAN60 through VLAN20. But the TCP ACK is still rejected by the firewall on VLAN20.

      Any suggestions on how to solve this particular scenario?

      P 1 Reply Last reply Reply Quote 0
      • P
        pst @pst
        last edited by

        @pst It turned out the issue was on the NAS. I found a setting to enable multiple gateways, so now the TCP SYN ACK is sent back on the correct interface, keeping pfSense happy.

        S 1 Reply Last reply Reply Quote 1
        • S
          SteveITS Galactic Empire @pst
          last edited by

          @pst so the NAS has multiple interfaces?

          Normally the response from VLAN20 would be the VLAN20 gateway, which is pfSense, and pfSense would route the reply to the correct network.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • R runevn referenced this topic on
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.