Firewall issue on WAN interface (solved)
we ran into a very tricky problem with the current RC1.
We replaced our old linux router with a pfSense 2.0-RC1 (latest build). The pfsense works as a firewall-router between our DMZ and our local LAN. In our DMZ stands an IPSec gateway which routes together 2 networks (local LAN: 192.168.10.0/24; remote LAN 192.168.20.0/24; DMZ: 172.16.0.0/24). For the local LAN points a static route to the WAN interface of the pfSense (IPSec: 172.16.0.1; WAN pfSense: 172.16.0.254)
One of the remote systems (A: 192.168.20.1) should be able to connect to one of the systems (B: 192.168.10.1) on our local LAN side (opt interface), but the B system should not be able to connect to system A. For that we build a firewall rule for the WAN interface (172.16.0.254) to allow all the traffic from system A to system B. The rule seems to work fine for any kind of TCP traffic.
But for ICMP something goes wrong. As expected system B is not able to send a ping to system A. But system A isn´t able to send a ping too. But during sending a ping from A to B, B is able to ping A. So we think that the firewall opens the connection for the wrong direction for that case.
If we try to ping system B directly from a DMZ system (VPN gateway: 172.16.0.1) everything works fine. If we use our old linux router everything works fine too.
Thanks for your help
It has to do something with the different getways:
We changed the WAN gateway to the IPSec instead of the default gateway and everything works fine. It seems that all the traffic uses the WAN gateway instead of the gateway defined in the static route.
We have defined two gateway (static routes).
- Default gateway
- Route to the remote LAN via IPSec router
Is there any other way to define the static routes
If we set the gateway for the WAN interface to "none" it seems to work fine.
Now the pfSense uses the right static routes.