Changing firewall rules, nat, or aliases does absolutely nothing
-
I run an HA pfSense setup with 2 routers. I went in and did a security audit on them and applied a ton of new rules. I have 7 networks and 5 vpn tunnels. I noticed that even though I had intentionally left some important rules out to verify that things were being blocked, the traffic to them still passed.
This was interesting, so I eventually went to nat and changed the entire public vip that the network uses to get out to the internet but no change, websites still showing the original vip. I then added block any any rules to the top of my main network but I am still able to connect, get DHCP, and talk to intervlan services.
I don't know what to do. All of my remote services still work but no firewall rules work and no changes related to any networks change either. it doesn't make sense.
I have cleared all firewall states, verified over and over again, rebooted primary node. everything and no change.
-
@codym see if there’s a reload error:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-appliedPost a screenshot? Either they are not matching, not loading, or there are open states.
-
@SteveITS
This is an offending network with a block any any rule at the top
This is the nat rule for that network that says it should be using .58, but currently that network, on top of being able to connect new devices, still uses the other .60 vip that it was set to before.I will check that link you sent and see if it is a bug.
here is my current version
-
there is a reload error apparently
I will figure out what this means
Thank you for your help and pointing me to that doc!
-
@codym don’t lock yourself out with the block rule when it works. :)
-
@SteveITS Haha will do! Thanks again for the pointers!
It turned out that my traffic limiters/prioritizes for incoming web server and p2p VPN connections both had the "default queue" enabled, and they are both children of the same interface so pfSense didn't like that a whole ton haha
-
Hmm, I wonder how that happened. Curious. Glad you were able to track that down.
