Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't access secondary firewall GUI on some interfaces

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    1
    1
    55
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • the_worm91T
      the_worm91
      last edited by

      Hi everyone,
      I have a cluster of 2 pfsense (fw-A is the master and fw-B the secondary) and I have in total 12 interfaces: 4 WAN interfaces and 8 local interfaces.
      LAN interface 192.168.0.x/24 (lan subnet for all the office)
      MNG interface 192.168.32.x/24 (management subnet for the hypervisor esxi and switches)
      DMZ interface 192.168.33.x/24
      VGL interface 192.168.34.x/24 (another subnet for other local servers)
      BBL interface 192.168.35.x/24 (lan subnet for a special office)
      MMD interface 192.168.36.x/24 (lan subnet for a conference room)
      VOIP interface 192.168.2.x/24 (voip sub to manage ip phones)
      On each local interface is setup the primary and the secondary fw with the ip192.168.x.101 for the master fw-A and 192.168.x.102 for secondary fw-B.
      From my pc i can reach any interface and (of course) i can access to the master fw GUI of any local interface and the secondary fw-B only on LAN and MNG interfaces.
      When i try to access to the secondary fw-B on DMZ, VGL, BBL, MMD and VOIP interfaces the connection has timed out.
      If i look in the tab system logs/status/firewall i don't have blocking rules but i only see rules that allow me to reach the secondary fw on the aforementioned interfaces.

      I also noticed a strange behavior of the rules:
      Pass-> Aug 20 08:43:06 LAN "admin on MNG from LAN (1682498233)" 192.168.0.91:52348 192.168.32.102:445 TCP:S
      after one minute:
      Deny-> Aug 20 08:44:07 LAN "LAN other deny (1454778479)" 192.168.0.91:52348 192.168.32.102:445 TCP:PA
      and...
      Pass-> Aug 20 09:49:48 LAN "admin on MNG from LAN (1682498233)" 192.168.0.91:53166 192.168.32.102:445 TCP:S
      Deny-> Aug 20 09:49:47 LAN "LAN other deny (1454778479)" 192.168.0.91:53160 192.168.32.102:445 TCP:A
      ...but i still reach the fw-B on the ip 192.168.32.102, I can't stand why the rules are processed in this crazy way when the rule "admin on MNG from LAN" is over the second one (and should processed before).
      Except this everything works fine in the network, i'm going crazy to troubleshoot the source of the problem, any suggestion?

      thanks

      1 Reply Last reply Reply Quote 0
      • First post
        Last post