Hello, I inherited a very old instance of pfsense (1.0.1) acting as a router and firewall between multiple DMZs and WAN (LAN is empty and unused).
After updating to 1.2.3, outbound connections were working fine, but I was no longer able to connect to any of the servers from outside. Not wanting to have to reinstall 1.0.1 I hoped that this was maybe a bug/regression in the NIC driver (there's just one network card with just one port that is fed all the corresponding tagged VLANs) and applied the full update to 2.0.1 as well. Everything went fine, but the behavior persisted. So I started debugging it (or at least tried to), with wireshark on a client system and tcpdump on pfsense and one of the servers: When trying to ssh from the client to the server, I can see the TCP handshake. After the client sends it's ack, the server sends the SSH banner. I can see the packet in the dump from the server and on the firewall on both virtual interfaces (the one in the DMZ and the one in WAN). But the packet is never received on the client. What happens instead, is that the server receives a TCP RST packet, seemingly coming from the client. But none of the dumps on the client or pfsense show such a packet being sent. As a result the server sends a RST as well, which passes through to the client and the connection is lost. Same behavior for any other port and server in any of the subnets. But if I `pfctl -F all` or disable pf completely, all works well. There are no blocking rules defined, other than the default one. I added a floating pass any to any rule with no success. pflog doesn't show anything as being blocked when the connection is dropped. The rules are the same as when 1.0.1 was used, I did not modify any of them since the first update and everything worked with that. I know I'm missing something obvious here, but I just can't understand what. Can anyone please give me any hint? I don't want to start with a fresh install and re-add all the user rules, as there are several hundreds defined. Regards, -- Theo _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
