Revision 9d140dd5 - expected changes in behavior?
I was running a build from 23.04.2013 and I updated to:
built on Thu Apr 25 21:20:47 EDT 2013
After the reboot I immediately noticed something was different - the LAN interface was not replying to ICMP any more, even though routing towards the Internet worked normally. I took a good look at the rules and noticed that the first match for the ICMP packets towards the LAN interface was a rule that has a gateway group specified. This setup had worked like this for almost 2 years. I then added an explicit "from LAN net to LAN net" rule with no gateway group specified and placed it before the other rule in order to force a route table lookup for local LAN traffic. This resulted in ICMPs being replied to on the LAN interface once again. Then I noticed that traceroutes from LAN hosts towards the Internet started showing the LAN IP as the 1st hop, even though policy routing is being performed to forward the packets via a gateway group. This has never happened for as long as I've used gateway groups to route my traffic, the 1st hop always being the GW on the ISP side.
I think this patch is most likely responsible for this change in behavior: Revision 9d140dd5. Taking a look at the code change, there seems to be a massive rewrite of the forwarding code.
Are there any other expected behaviour changes emerging from this change?
Read my thread "pfSense Crashed" - it might be related. Thursday night's builds seem to be broken in a very severe, fundamental way.
New snapshots are up now, give on a try, it should be back to the behavior before those patches.
Thanks, with the newer build everything is back to normal.