4. *SOLVED* static route causes random blocks on firewall LAN

*SOLVED* static route causes random blocks on firewall LAN

  • B

    Hello All,

    pfSense-2.1.4-RELEASE(amd 64)
    squid
    squidGuard
    lightsquid
    xeon quad core , 4 intel nics - em

    1 WAN , 3 LAN

    Topology:

    3 Network LAN segments on pfSense machine being:
    LAN - 172.28.8.0/24  =  servers
    OPT1 - 172.28.10.0/23  = Elementary
    OPT2 - 172.28.12.0/23  = High School

    Static route placed on LAN to point towards Adtran router .

    This pfSense system has to also connect to an Adtran router that feeds ip phones and yet another "teacher" network segment that uses:
    172.28.14.0/23
    The teacher network segment is routed out from the Adtran router to go through the pfSense systems squidGuard for content filtering of course.

    Looking at the screenshots below the Adtran router gateway is 172.28.8.1
    The pfsense machine LAN gateway is 172.28.8.2, (for completeness.)

    Problem:

    After running the new pfSense machine for a few days now,and about 3 full days of trying to get firewall rules set right,come to find out if the static route that was put in place off the get go,to connect to the Adtran router the firewall blocks in the firewall log goes away.
    These blocks are blocking dns, wins, smb and so on. These are coming from OPT1 and OPT2 interfaces.
    There ar NO block rules in place in firewall lan,opt1,opt2  rules.

    Tried to resolve with:

    I have tried selecting the option of  - System > Advanced > Firewall/NAT > Static route filtering  - and checking this made no difference.
    I have tried Wiresharking the system but am not smart enough and have given up (for now).

    I will attach screen shots below of firewall rules, static route and firewall log,(with static route enabled).

    Sidenote:
    Something that looks very quirky on the LAN firewall rules is the add of the 172.28.140/23 as Source. I had to do this for the teacher network to get internet access. It sure doens't look like an RFC compliant setup,but it does work?

    Internet access works fine on all four lan segments,but of course some dns and accessing file shares on lan is very dodgey.

    Also worth noting this has worked on pfSense-1.2.3 and pfSense-2.0.1.

    Is it possible the Adtran router could be causing this effect on the newer kernel in pfSense-2.1.4 verius 2.0.1 ?

    Thank You,
    Barry












    0
  • B

    Hello All,

    The above problem was in fact not a routing problem on pfSense system part.

    The Windows Server 2003 DC  gateway was set to the Adtran router gateway rather than the actual pfSense router's gateway address.
    I believe it may have been related to packet timestamps being way off between Adtran , and pfSense routers., ?
    After changing the Windows Server DC (which was supplying the wins, dns , smb) that was being blocked these blocks have disappeared from the firewall logs.

    For some reason,this did not occur on the previous pfSense-2.0.1 system.?

    Thanks

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy