[pfSense] Connection issues after changing from 2.0.3-RELEASE to 2.1-RELEASE

[Stefan Baur]

Hi List,

I'm kind of stumped by this.
Situation:
pfSsense with 3 Interfaces
WAN: 192.168.0.161/24 (DHCP)
LAN: 192.168.133.1/24
OPT1 (renamed "DMZ"): 172.16.0.2/12

What I did:
1) fresh install of 2.1-RELEASE as virtual machine (KVM on Linux host), 
with same virtual machine settings as for 2.0.3-RELEASE
2) enabled virtio network and disk devices as described on the wiki
3) loaded config of 2.0.3-RELEASE and changed interface/disk names as 
required

What I did NOT do until the issue appeared:
change any firewall rules

Issue:
After upgrading, all TCPv4 connections (and possibly UDPv4 too) between 
LAN and OPT1 (and vice versa) do not work
(Haven't tried IPv6 at all, since I don't have that configured)

What I'm trying is (as an example, http/proxy connections via 
80/8080/3128 don't work, either):
ssh from 192.168.133.100 to 172.16.0.110

Firewall log shows that the connection is being attempted and allowed:
pass Dec 12 08:51:10 LAN 192.168.133.100:51876 172.16.0.110:22 TCP:S

Result: Nothing happens, connection silently times out

Same goes for the opposite direction, I try:
ssh from 172.16.0.110 to 192.168.133.100

Firewall log shows that the connection is being attempted and allowed:
pass Dec 12 09:02:55 DMZ 172.16.0.110:52172 192.168.133.100:22 TCP:S

Result: Nothing happens, connection silently times out

On 192.168.133.100, the source machine, netstat -rn gives:
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 br1
172.16.0.0      192.168.133.1   255.240.0.0     UG        0 0          0 br0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 br1
192.168.133.0   0.0.0.0         255.255.255.0   U         0 0          0 br0

On the pfSense box, netstat -rn gives:
netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use Netif Expire
default            192.168.0.1        UGS         0     7611 vtnet0
127.0.0.1          link#4             UH          0       28 lo0
172.16.0.0/12      link#3             U           0    17787 vtnet2
172.16.0.2         link#3             UHS         0        0 lo0
192.168.0.0/24     link#1             U           0     7669 vtnet0
192.168.0.1        52:54:00:60:93:00  UHS         0    19408 vtnet0
192.168.0.161      link#1             UHS         0        0 lo0
192.168.133.0/24   link#2             U           0     2193 vtnet1
192.168.133.1      link#2             UHS         0        0 lo0

Internet6:
Destination                       Gateway Flags      Netif Expire
::1                               ::1 UH          lo0
fe80::%vtnet0/64                  link#1 U        vtnet0
fe80::5054:ff:fe60:9300%vtnet0    link#1 UHS         lo0
fe80::%vtnet1/64                  link#2 U        vtnet1
fe80::5054:ff:fe60:9301%vtnet1    link#2 UHS         lo0
fe80::%vtnet2/64                  link#3 U        vtnet2
fe80::5054:ff:fe60:9302%vtnet2    link#3 UHS         lo0
fe80::%lo0/64                     link#4 U           lo0
fe80::1%lo0                       link#4 UHS         lo0
ff01::%vtnet0/32                  fe80::5054:ff:fe60:9300%vtnet0 
U        vtnet0
ff01::%vtnet1/32                  fe80::5054:ff:fe60:9301%vtnet1 
U        vtnet1
ff01::%vtnet2/32                  fe80::5054:ff:fe60:9302%vtnet2 
U        vtnet2
ff01::%lo0/32                     ::1 U           lo0
ff02::%vtnet0/32                  fe80::5054:ff:fe60:9300%vtnet0 
U        vtnet0
ff02::%vtnet1/32                  fe80::5054:ff:fe60:9301%vtnet1 
U        vtnet1
ff02::%vtnet2/32                  fe80::5054:ff:fe60:9302%vtnet2 
U        vtnet2
ff02::%lo0/32                     ::1 U           lo0

Funnily, when I ssh to 192.168.133.1 (the pfSense box), I can continue 
to ssh to 172.16.0.110 just fine from there.

On 172.16.0.110, the destination machine, netstat -rn gives:
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface
0.0.0.0         172.16.0.2      0.0.0.0         UG        0 0          0 
eth0
172.16.0.0      0.0.0.0         255.240.0.0     U         0 0          0 
eth0


Connections between OPT1/DMZ and WAN work just fine:
When I try:
ssh from 172.16.0.110 to 192.168.0.10

The firewall log shows:
pass Dec 12 09:19:50 DMZ 172.16.0.110:43745 192.168.0.10:22 TCP:S

And it connects just fine.

Since this is a test environment, I had no pain disabling all firewall 
rules and adding a
"pass, log     IPv4 *     *     *     *     *     *     none" at the top 
of every interface ruleset.

This doesn't change a thing with regards to the TCP packages though (and 
yes, I hit the "reload" button):

After making this change, I can Ping from anywhere to anywhere just fine.
SSH/HTTP/Proxy still doesn't work across interfaces.
So it seems only TCP (and possibly UDP) is affected by whatever is 
causing this, while ICMP goes through (as long as there's no blocking rule).

My first thought was that "Block private networks" was enabled for one 
of the interfaces, but the option is disabled for all.
All I'm blocking is "Bogon Networks" on WAN.

What has changed between 2.0.3-RELEASE and 2.1-RELEASE that causes this, 
what am I doing wrong?
Or is virtio buggy and causing this?
I am confused. Please help me.

-Stefan
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list