FW rules needed for static route?



  • We used to have pfSense 1.2.3 setup previously and as we had issues with NAT-T on pfSense not working to an external server we had a static route defined to a Fortigate router handling that specific tunnel to another private net with no problems. Now we upgraded to 2.0B4 and the static route gets blocked in the pfSense FW, what kind of rule are needed to make it work properly? In 1.2.3 we did not have any specific rule and it still worked. I didn´t think that pfSense should firewall another route, shouldn´t that be left to the Fortigate router to handle?
    Ping works for all computers on 192.168.66.0/24 to computers on 10.1.20.0/24. The log says that a packet with a source from a server from LAN (192.168.66.0/24) to a server on 10.1.20.0/24 was blocked. LAN net has the default pass all rule, would I need to add 10.1.20.0/24 also in some way? If I remove pfsense as the default GW in the server on 192.168.66.0 and instead use the fortigate as the default GW, everything works again.

    Configuration:
    LAN - 192.168.66.0/24
    pfSense 192.168.66.1 - static route with GW 192.168.66.5 for network 10.1.20.0/24
    fortigate 192.168.66.5 - IPSEC tunnel to 10.1.20.0/24 <-> 192.168.66.0/24
    One server on 192.168.66.0 and one on 10.1.20.0/24 talking to each other.

    Thanks,
    Jesper



  • The answer is Yes.

    When I used load balancer in one pfsense box, each route or ip address that I'd like to follow I made a rule in LAN Interface.

    Some tests I tried just make a static route, but as were many ip address, i made a alias w/ ip address and made rules ;).

    If do you think that firewall are blocking your packets, disable it by command line (pfctl -d -> to disable, pfctl -e -> to enable, do it as root), but normally the packets going wrong direction and fallen it and not block as shows system log (in pfsense's book this is explained).



  • You'll need to check "Bypass firewall rules for traffic on the same interface" under System>Advanced, Firewall/NAT, though that's no different than 1.2.3.



  • cmb is correct, i forgot this option.. in past I used it to the same proposal packets were dropping and TS very slow or disconnected each five minutes.



  • I did find the "Bypass firewall rules for traffic on the same interface" option and everything is just fine if I enable it, but I can´t remember doing that in 1.2.3.

    Thanks!
    Jesper


Log in to reply