Weird behavior with 2.2RELEASE regarding some rules with gw groups
-
Hi all,
I am trying to configure pfSense to firewall a FreePBX software, it is a complex setup that was working just fine with 2.1.5, firewalls are running in VMs in VMware 5.5
So were we go:
Interfaces (all but HA and MGMT have CARPed IPs used):
WAN_1
WAN_2
VOIP_PRIVATE (10.0.0.4-5-6/24, .4 being the CARPed IP used)
HA (172.25.0.1-2/30 used)
LAN (192.168.200.1-2-3/24, .1 being the CARPed IP used as a default gateway for the PBX)
MGMT (DHCP, for laptop direct cross-connect, lifesaver kinda)GW:
WAN_1GW
WAN_2GW
VOIP_PRIVATE_PRI (10.0.0.1)
VOIP_PRIVATE_SEC (10.0.0.254)GW Groups:
DualWAN consisted of both WAN GWs
DualVoIP with both VOIP_PRIVATE GWs which sit in the same subnet, it is normal.
I do outbound NAT with CARPed IPs on WAN_1, WAN_2 and VOIP_PRIVATE.I set VOIP private Outbound NAT only on my provider's subnet (10.20.0.0/24)
I also set firewall rules from LAN to a particular IP (10.20.0.10) to use DualVoIP gw
Next LAN rule is LAN to any using DualWAN gw for WAN redundancy.I did not set a gw on VOIP_PRIVATE interface, I blocked bogon networks but not the private ones.
The problem is that pfsense is still blocking from the PBX to the 10.20.0.10 IP even though I set it as a firewall rule which is first in the rule set for LAN interface. If I set a gateway directly in the VOIP_Private iface page, it works, but I need to reboot first and the DualVoIP gateway doesn't seem to work (if I disable VOIP_PRIVATE_PRI, it is still using it when I traceroute in the Linux box and from pfsense ping/traceroute page as well)
-
Are you killing firewall States between firewall rules changes?
Can you check with tcpdump if your outbound nat rules are working?