Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    *SOLVED* static route causes random blocks on firewall LAN

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brcisna
      last edited by

      Hello All,

      pfSense-2.1.4-RELEASE(amd 64)
      squid
      squidGuard
      lightsquid
      xeon quad core , 4 intel nics - em

      1 WAN , 3 LAN

      Topology:

      3 Network LAN segments on pfSense machine being:
      LAN - 172.28.8.0/24  =  servers
      OPT1 - 172.28.10.0/23  = Elementary
      OPT2 - 172.28.12.0/23  = High School

      Static route placed on LAN to point towards Adtran router .

      This pfSense system has to also connect to an Adtran router that feeds ip phones and yet another "teacher" network segment that uses:
      172.28.14.0/23
      The teacher network segment is routed out from the Adtran router to go through the pfSense systems squidGuard for content filtering of course.

      Looking at the screenshots below the Adtran router gateway is 172.28.8.1
      The pfsense machine LAN gateway is 172.28.8.2, (for completeness.)

      Problem:

      After running the new pfSense machine for a few days now,and about 3 full days of trying to get firewall rules set right,come to find out if the static route that was put in place off the get go,to connect to the Adtran router the firewall blocks in the firewall log goes away.
      These blocks are blocking dns, wins, smb and so on. These are coming from OPT1 and OPT2 interfaces.
      There ar NO block rules in place in firewall lan,opt1,opt2  rules.

      Tried to resolve with:

      I have tried selecting the option of  - System > Advanced > Firewall/NAT > Static route filtering  - and checking this made no difference.
      I have tried Wiresharking the system but am not smart enough and have given up (for now).

      I will attach screen shots below of firewall rules, static route and firewall log,(with static route enabled).

      Sidenote:
      Something that looks very quirky on the LAN firewall rules is the add of the 172.28.140/23 as Source. I had to do this for the teacher network to get internet access. It sure doens't look like an RFC compliant setup,but it does work?

      Internet access works fine on all four lan segments,but of course some dns and accessing file shares on lan is very dodgey.

      Also worth noting this has worked on pfSense-1.2.3 and pfSense-2.0.1.

      Is it possible the Adtran router could be causing this effect on the newer kernel in pfSense-2.1.4 verius 2.0.1 ?

      Thank You,
      Barry

      firewall-log.png
      firewall-log.png_thumb
      gateway.png
      gateway.png_thumb
      lan.png
      lan.png_thumb
      opt1.png
      opt1.png_thumb
      opt2.png
      opt2.png_thumb
      route.png
      route.png_thumb

      1 Reply Last reply Reply Quote 0
      • B
        brcisna
        last edited by

        Hello All,

        The above problem was in fact not a routing problem on pfSense system part.

        The Windows Server 2003 DC  gateway was set to the Adtran router gateway rather than the actual pfSense router's gateway address.
        I believe it may have been related to packet timestamps being way off between Adtran , and pfSense routers., ?
        After changing the Windows Server DC (which was supplying the wins, dns , smb) that was being blocked these blocks have disappeared from the firewall logs.

        For some reason,this did not occur on the previous pfSense-2.0.1 system.?

        Thanks

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.