*SOLVED* static route causes random blocks on firewall LAN
-
Hello All,
pfSense-2.1.4-RELEASE(amd 64)
squid
squidGuard
lightsquid
xeon quad core , 4 intel nics - em1 WAN , 3 LAN
Topology:
3 Network LAN segments on pfSense machine being:
LAN - 172.28.8.0/24 = servers
OPT1 - 172.28.10.0/23 = Elementary
OPT2 - 172.28.12.0/23 = High SchoolStatic route placed on LAN to point towards Adtran router .
This pfSense system has to also connect to an Adtran router that feeds ip phones and yet another "teacher" network segment that uses:
172.28.14.0/23
The teacher network segment is routed out from the Adtran router to go through the pfSense systems squidGuard for content filtering of course.Looking at the screenshots below the Adtran router gateway is 172.28.8.1
The pfsense machine LAN gateway is 172.28.8.2, (for completeness.)Problem:
After running the new pfSense machine for a few days now,and about 3 full days of trying to get firewall rules set right,come to find out if the static route that was put in place off the get go,to connect to the Adtran router the firewall blocks in the firewall log goes away.
These blocks are blocking dns, wins, smb and so on. These are coming from OPT1 and OPT2 interfaces.
There ar NO block rules in place in firewall lan,opt1,opt2 rules.Tried to resolve with:
I have tried selecting the option of - System > Advanced > Firewall/NAT > Static route filtering - and checking this made no difference.
I have tried Wiresharking the system but am not smart enough and have given up (for now).I will attach screen shots below of firewall rules, static route and firewall log,(with static route enabled).
Sidenote:
Something that looks very quirky on the LAN firewall rules is the add of the 172.28.140/23 as Source. I had to do this for the teacher network to get internet access. It sure doens't look like an RFC compliant setup,but it does work?Internet access works fine on all four lan segments,but of course some dns and accessing file shares on lan is very dodgey.
Also worth noting this has worked on pfSense-1.2.3 and pfSense-2.0.1.
Is it possible the Adtran router could be causing this effect on the newer kernel in pfSense-2.1.4 verius 2.0.1 ?
Thank You,
Barry
-
Hello All,
The above problem was in fact not a routing problem on pfSense system part.
The Windows Server 2003 DC gateway was set to the Adtran router gateway rather than the actual pfSense router's gateway address.
I believe it may have been related to packet timestamps being way off between Adtran , and pfSense routers., ?
After changing the Windows Server DC (which was supplying the wins, dns , smb) that was being blocked these blocks have disappeared from the firewall logs.For some reason,this did not occur on the previous pfSense-2.0.1 system.?
Thanks