PFsense 2.2.1 - Routing/Firewall/NAT issues

  • Long time user, first time poster.  Love this project.

    I do seem to be having an issue with a new install that I can't seem to wrap my head around.

    I setup a new PFSense VM to act as a router/firewall/openVPN hub for a small office network.  The VM is running on XenServer 6.5.  Both IPv4 and IPv6 are enabled.  Clients can access the internet just fine, and are assigned both IPv4 and IPv6 addresses.  (I'm posting to this forum now using the office network)

    The ISP is Comcast.  PFSense has a WAN IP of 10.1.X.X, and as such the RFC1918 block rule is turned OFF.  LAN -> WAN for both IPv4 and IPv6 default allow-all rules exist.  A single pass rule on WAN exists to allow for a UDP response from the Comcast gateway, which remains responsible for providing IPv6 addresses through SLAAC and/or DHCPv6 (Route Advertisements mode set to 'Assisting').

    When running a speed test, the download speed is great.  Low latency, high throughput, no issues.  The upload test completely fails.  The stream doesn't appear to start.

    Initially when looking at my firewall logs, I did not see anything out of the ordinary.  Having refreshed them just recently, I found several block entries that should be explicitly allowed based on the ALLOW ALL from LAN -> WAN on both IPv4 and IPv6, however they're stating that the packets from LAN -> WAN have been blocked by a default IPv4 block rule.

    I've attempted to bypass any firewalling done on the Comcast gateway by putting the PFsense WAN IP into a DMZ.  I've completely disabled IPv6 firewalling on the cable gateway, but can't seem to get this working.

    To note, some web applications also load very slowly - specifically ones that seem to require SSL.  Presumably this is because something is getting in the way of the TLS handshake process.

    During a packet capture when I first noticed this issue, I did see quite a few fragmented packets with destination unreachable errors, but modifying the IP Do-Not-Fragment compatibility setting fixes this for me.

    Any help would be great, I've been pulling my hair out here and not sure where else to look.


Log in to reply