Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SOLVED! All NAT Traffic is blocked after upgrade + restore

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    2 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dklev
      last edited by

      I backed up my config, created a new installation using ISO 31.Dec.2010 an restored my config. Everything looks and works fine, but all my NAT traffic is blocked by firewall (shown in firewall log as "BLOCK TCP:s").

      I can diagnostic/ping to wan successfully and ICMP packets are NATed/replied fine through pfsense.

      Whatever rule I add (even "Easy rules" untouched), nothing helps.

      One more test: Factory defaults, IPs, DNS, Default GW setup: NAT works perfectly. I restore my config again: Argh - all connections are blocked again.

      And I'd really like to restore my settings, because I have a lot of OpenVPN clients & servers, cetificates etc. there.

      What can I do?

      Some attachments:

      Here a part of my firewall log (sorry, forum didn't make it possible to upload screenshot)
       block
      Jan 1 21:42:55 ovpns2 192.168.0.38:50631 192.168.42.129:80 TCP:S
      block
      Jan 1 21:42:55 LAN 192.168.42.131:137 192.168.42.191:137 UDP
      block
      Jan 1 21:42:55 WAN 81.20.128.130:57462 198.78.197.254:80 TCP:S
      block
      Jan 1 21:42:56 LAN 192.168.42.131:137 192.168.42.191:137 UDP
      block
      Jan 1 21:42:57 LAN 192.168.42.131:137 192.168.42.191:137 UDP
      block
      Jan 1 21:42:58 WAN 81.20.128.130:55850 213.221.117.6:4812 TCP:S
      block
      Jan 1 21:42:59 WAN 81.20.128.130:21191 213.221.117.6:4812 TCP:S
      block
      Jan 1 21:42:59 WAN 81.20.128.130:5764 213.221.117.6:4812 TCP:S

      Then I figured out a little bit more:
      It looks, as if I set up all my (auto generated) rules as "block" instead of "pass"… If I change the not working NAT firewall rule from "Pass" to "Reject", I can feel the immediate reject, so my rules seems to stay a little bit functional...

      1 Reply Last reply Reply Quote 0
      • D
        dklev
        last edited by

        Argh, I'm an idiot! I added a reject rule at "Floating", but this is maybe stronger than my WAN/LAN pass rules! And I did only figure that out by clicking on the red "X", that opens a message, which rule made the reject. And this I only figured out after searching the web for a long time…

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.