FW rules needed for static route?

  • We used to have pfSense 1.2.3 setup previously and as we had issues with NAT-T on pfSense not working to an external server we had a static route defined to a Fortigate router handling that specific tunnel to another private net with no problems. Now we upgraded to 2.0B4 and the static route gets blocked in the pfSense FW, what kind of rule are needed to make it work properly? In 1.2.3 we did not have any specific rule and it still worked. I didn´t think that pfSense should firewall another route, shouldn´t that be left to the Fortigate router to handle?
    Ping works for all computers on to computers on The log says that a packet with a source from a server from LAN ( to a server on was blocked. LAN net has the default pass all rule, would I need to add also in some way? If I remove pfsense as the default GW in the server on and instead use the fortigate as the default GW, everything works again.

    LAN -
    pfSense - static route with GW for network
    fortigate - IPSEC tunnel to <->
    One server on and one on talking to each other.


  • The answer is Yes.

    When I used load balancer in one pfsense box, each route or ip address that I'd like to follow I made a rule in LAN Interface.

    Some tests I tried just make a static route, but as were many ip address, i made a alias w/ ip address and made rules ;).

    If do you think that firewall are blocking your packets, disable it by command line (pfctl -d -> to disable, pfctl -e -> to enable, do it as root), but normally the packets going wrong direction and fallen it and not block as shows system log (in pfsense's book this is explained).

  • You'll need to check "Bypass firewall rules for traffic on the same interface" under System>Advanced, Firewall/NAT, though that's no different than 1.2.3.

  • cmb is correct, i forgot this option.. in past I used it to the same proposal packets were dropping and TS very slow or disconnected each five minutes.

  • I did find the "Bypass firewall rules for traffic on the same interface" option and everything is just fine if I enable it, but I can´t remember doing that in 1.2.3.


Log in to reply