Well thanks Alex....there is definitely a problem. I am going to be forced to configure my setup in a more complex way. The beauty of the way I wanted is that the pfSense could simply be taken out of line in case of problems and although my network would be left unprotected at least it would continue to work with no reconfiguration of any other equipment.
I've ran into another problem...when I change the LAN ip address, it appears that the firewall rule for the LAN has to be changed. The default rule that exists there, LAN Net to any, doesn't work anymore and has to changed to reflect the subnet of the new range. Oh well...its a work in progress....I wonder if there is a way to disabe 'stateful packet inspection'. But anyways, just like you are saying...Initial connections seem to work great in most cases but eventually will quit working. My Novell clients end up having problems talking to my servers and I have another client/server (library card catalog) that refuses to talk at all. On Sat, Mar 14, 2009 at 10:42 AM, Alex <alex....@gmail.com> wrote: > On Fri, Mar 13, 2009 at 12:50 AM, Brad Gillette <b...@bradgillette.com> > wrote: > > pfSense is apparently blocking traffic when a connection is > > already established or won't keep a connection alive. > > Yep. I have exactly the same problem on 1.2.1. pfSense seems that it > can't track the state of the connections made on the same interface > but belong to different networks. It initially allows the connection > as it is in the rules but later on *some* packets are dropped by the > default rule even if there is an "Allow All" rule before it. > > Enabling "Static Route Filtering" to bypass firewall rules for traffic > on the same interface didn't work for this problem. > > I also faced this problem with a Linux/Netfilter firewall but didn't > try it on anything else yet (not even on pfSense 1.2.2). > > As a workaround I routed the traffic from the L3 switch before > reaching pfSense but that left me with limited filtering capabilities > :/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
