3 lans , pass all , still blocks
-
Hello All,
pfSense-2.1.4-RELEASE
1 WAN , 3 LANS
LAN = 172.28.8.0/24 # server subnet
OPT1 = 172.28.10.0/23 # elementary subnet
OPT2 = 172.28.12.0/23 # high school subnetAlso static route on LAN that points to an Adtran router that feeds teacher PC's on a 172.28.14.0/23 subnet to pass teacher pc traffic out through pfSense system for content filtering.( Default gateway for this router is 172.28.8.1 when looking at screen shots of gateway below)
Have had this pfSense system running for about two weeks now and have what I think is pass all rules on each lan interface ,but yet I still see blocked traffic between subnets for services such as wins,dns,smb and so on.
I have checked in the System > Advanced >Firewall/NAT > "Bypass firewall rules for traffic on same interface" but this didnt help.
I have read where changing in the firewall rules from "keep state" to "sloppy state" has resolved this for a couple users,,that has a static route set.This did not do anything.
I will attach screen shots,as a post usually is hard to picture what is going on without "real screen shots".
Thanks,
Barry
-
When you click the red X on the far left of the firewall log, what rule does it say is doing the block?
-
KOM,
Thank you for the tip. Didn't realize that feature existed. Now I do.
I post a screen shot,and I really don't unerstand the output of the red X?"all fragment reassemble"
"block drop in inet log, "Default deny all ipv4"Screenshot attached.
Thanks.
-
First, you need to set Teacher_Gateway to be the IP address of the Adtran device that is the gateway for the teacher /23. When you give interface addresses like this:
LAN = 172.28.8.0/24 # server subnet
OPT1 = 172.28.10.0/23 # elementary subnet
OPT2 = 172.28.12.0/23 # high school subnetPlease don't use .0 Give us the interface address in pfSense or something else useful. I can't tell from what you're saying if the adtran is 172.28.8.1, pfSense is 172.28.8.1, or if you have them both configured as 172.28.8.1.
You're telling pfSense where to send traffic it has for 172.28.14.0/23.
Second. Is something not working or are you just seeing firewall logs? Looks like you're seeing traffic for states than have expired. It happens all the time. All stateful firewalls have no choice but to block such traffic.
I have read where changing in the firewall rules from "keep state" to "sloppy state" has resolved this for a couple users,,that has a static route set.This did not do anything.
I have checked in the System > Advanced >Firewall/NAT > "Bypass firewall rules for traffic on same interface" but this didnt help.
Your situation is not anything special. Please stop checking boxes. It's not going to fix it. You need to find what's misconfigured and fix it.
And a network drawing would be helpful.
-
Hello,
Thank You to each for pointers.
I'm sure Derelect is corret in that the firewall log was LAN interface traffic between the three network segments with expired tags.
I sure don't remember seeing this in the previous version of pfSense-2.0.1 I honestly thought we were having troubles behind the scenes and simply havent been able to Wireshark - packet capture anything to get to the nitty gritty of it.One other thing was I was seeing many in/out errors (continuously building) on one of the four interfaces in this new machine. Status > Interfaces. I replaced the ethernet wire and no change. Rebooting two days ago and no more in/out errors so not sure what that was.
Only thing I can imagine on this is (my theory) having this new router in server rack changing back and fortht wires from previous pfSense router to this shiney new one,maybe something got wonky until a system reboot,which I hadn't done.Everything seems to be AOK now.
Thanks again!
-
Out-of-state packets cause log traffic like that. Glad to hear you got it working.
