Weird weird problem

  • I recently replaced a home brew linux iptables based firewall with pfSense, and with exception to this problem it works flawlessly.  Here are the specs:

    • pfSense version 1.0.1

    • P4

    • 1Gb RAM

    • 40Gb HDD

    • 4 x 3Com 509c 10/100 NIC's

    • NO additional packages installed

    We have a host with vmware server running on it and several guest virtual machines.

    We moved the machine and all of it's virtual hosts behind psSense and created Port-Forwarding rules (with matching Filter Rules) for ports 80 and 22 for each of the virtual machines.  This is where it gets weird…

    All of the machines, virtuals and host, can ping and ssh to/from anywhere.  But ALL HTTP requests fail.  This includes requests from AND to the internet (via wget or any other command that uses http).  On the local network and between the virtual machines, everything works fine.

    Move the physical host to another network that goes through the pfSense, it and all the virtual machines work fine.  Move it back to the DMZ and it stops working.

    Move any of the virtual machines to another physical host with ZERO changes otherwise, and they work fine.

    We have another vmware host with the SAME hardware and base OS (same revision and all) works perfectly fine inbound and outbound.  All the problems are with the single host.

    We re-installed the operating system assuming that maybe the system drivers may be corrupt... same OS, version, and updated it.  No success.

    We checked to make sure there was no local firewalls on ANY of the virtual machines or host, and even uninstalled iptables and rebooted them to be absolutely sure.

    Everything else works fine BUT HTTP requests inbound or outbound.

    I performed tcpdump's in front of and inside the firewall with the same results.  I forgot to copy and paste so no details, but this is a summary of what I see:

    From the problem machine to
    Src:  Syn
    Dst:  Syn-Ack
    Src:  Ack
    Dst: Push
    Dst: Push
    Dst: Push... etc

    From the outside to the problem machines:
    Src:  Syn
    Dst:  Syn-Ack
    Src:  Ack
    Src: Push
    Src: Push
    Src: Push... etc

    And NAT was working properly.

    Someone please tell me something constructive, because we're out of ideas.

    All the other hosts on the DMZ work fine.

  • Try this.

    1. Update to a recent snapshot? ( ) Still having issues, go to #2
    2. System -> Advanced -> Disable Firewall Scrub, enable this option.  Work now?

Log in to reply