Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FW rules needed for static route?

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    5 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeppe67
      last edited by

      We used to have pfSense 1.2.3 setup previously and as we had issues with NAT-T on pfSense not working to an external server we had a static route defined to a Fortigate router handling that specific tunnel to another private net with no problems. Now we upgraded to 2.0B4 and the static route gets blocked in the pfSense FW, what kind of rule are needed to make it work properly? In 1.2.3 we did not have any specific rule and it still worked. I didn´t think that pfSense should firewall another route, shouldn´t that be left to the Fortigate router to handle?
      Ping works for all computers on 192.168.66.0/24 to computers on 10.1.20.0/24. The log says that a packet with a source from a server from LAN (192.168.66.0/24) to a server on 10.1.20.0/24 was blocked. LAN net has the default pass all rule, would I need to add 10.1.20.0/24 also in some way? If I remove pfsense as the default GW in the server on 192.168.66.0 and instead use the fortigate as the default GW, everything works again.

      Configuration:
      LAN - 192.168.66.0/24
      pfSense 192.168.66.1 - static route with GW 192.168.66.5 for network 10.1.20.0/24
      fortigate 192.168.66.5 - IPSEC tunnel to 10.1.20.0/24 <-> 192.168.66.0/24
      One server on 192.168.66.0 and one on 10.1.20.0/24 talking to each other.

      Thanks,
      Jesper

      1 Reply Last reply Reply Quote 0
      • H
        heitor.lessa
        last edited by

        The answer is Yes.

        When I used load balancer in one pfsense box, each route or ip address that I'd like to follow I made a rule in LAN Interface.

        Some tests I tried just make a static route, but as were many ip address, i made a alias w/ ip address and made rules ;).

        If do you think that firewall are blocking your packets, disable it by command line (pfctl -d -> to disable, pfctl -e -> to enable, do it as root), but normally the packets going wrong direction and fallen it and not block as shows system log (in pfsense's book this is explained).

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          You'll need to check "Bypass firewall rules for traffic on the same interface" under System>Advanced, Firewall/NAT, though that's no different than 1.2.3.

          1 Reply Last reply Reply Quote 0
          • H
            heitor.lessa
            last edited by

            cmb is correct, i forgot this option.. in past I used it to the same proposal packets were dropping and TS very slow or disconnected each five minutes.

            1 Reply Last reply Reply Quote 0
            • J
              jeppe67
              last edited by

              I did find the "Bypass firewall rules for traffic on the same interface" option and everything is just fine if I enable it, but I can´t remember doing that in 1.2.3.

              Thanks!
              Jesper

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.