[SOLVED] pfSense blocks packets from a particular LAN IP!



  • Hello guys!

    I have a very curious issue with pfSense.
    I have two pfSense boxes running in CARP, master is version 2.1.2, backup is 2.1.3.
    The backup blocks a particular IP on LAN interface. On master everything works fine. However, the machines are synced.

    LAN net: x.x.3.0/24
    LAN master: x.x.3.2
    LAN backup: x.x.3.3
    LAN CARP: x.x.3.1

    In LAN net I have 4 hosts. Each host has access as expected except 1 with the IP x.x.3.110. Unfortunately this is our master DC.
    Every packet from IP x.x.3.110 is blocked by the backup psSense. If the master is on there is no problem if I use the CARP IP, but if it's offline there is no access to and from the DC.

    For analysis I have made tests with ping and captured the packets with pfSense.

    ping from the affected host to LAN address of the backup pfSense looks like that:

    13:18:58.820303 IP x.x.3.110 > x.x.3.3: ICMP echo request, id 512, seq 2816, length 40
    13:19:04.238687 IP x.x.3.110 > x.x.3.3: ICMP echo request, id 512, seq 3072, length 40
    13:19:09.738722 IP x.x.3.110 > x.x.3.3: ICMP echo request, id 512, seq 3328, length 40
    13:19:15.238763 IP x.x.3.110 > x.x.3.3: ICMP echo request, id 512, seq 3584, length 40
    
    

    There are no replies, however, in Logs I can see that ping is passed by rules.

    ping from another host is okay. It get also replies:

    13:18:17.447322 IP x.x.3.105 > x.x.3.3: ICMP echo request, id 768, seq 65057, length 40
    13:18:17.447542 IP x.x.3.3 > x.x.3.105: ICMP echo reply, id 768, seq 65057, length 40
    13:18:18.447440 IP x.x.3.105 > x.x.3.3: ICMP echo request, id 768, seq 65313, length 40
    13:18:18.447509 IP x.x.3.3 > x.x.3.105: ICMP echo reply, id 768, seq 65313, length 40
    13:18:19.447440 IP x.x.3.105 > x.x.3.3: ICMP echo request, id 768, seq 34, length 40
    13:18:19.447625 IP x.x.3.3 > x.x.3.105: ICMP echo reply, id 768, seq 34, length 40
    
    

    Also if I change the IP form x.x.3.110 to x.x.3.111 pfSense replies as it should:

    13:25:03.854243 IP x.x.3.111 > x.x.3.3: ICMP echo request, id 512, seq 5888, length 40
    13:25:03.854326 IP x.x.3.3 > x.x.3.111: ICMP echo reply, id 512, seq 5888, length 40
    13:25:04.859727 IP x.x.3.111 > x.x.3.3: ICMP echo request, id 512, seq 6144, length 40
    13:25:04.859839 IP x.x.3.3 > x.x.3.111: ICMP echo reply, id 512, seq 6144, length 40
    13:25:05.865605 IP x.x.3.111 > x.x.3.3: ICMP echo request, id 512, seq 6400, length 40
    13:25:05.865771 IP x.x.3.3 > x.x.3.111: ICMP echo reply, id 512, seq 6400, length 40
    
    

    Can you tell me please what the hell is the reason for this strange behaviour?
    I have no idea.

    A solution will be as mentioned changing the IP of the DC. But to do so I have also to change the interface settings on every host in the network, cause this server makes DNS also. So I would rather reinstall pfSense. But maybe this will not resolve my issue.



  • I had a fatal mistake in DNS configuration of pfSense.
    The affected host was in wrong position and there was set a route over WAN gateway. See attachment.

    I don't know how this could happen. I have compared the settings several times after installation.
    Maybe it was messed during update to 2.1.3, cause I didn't notice any trouble afore.



Log in to reply