PFSense v1.2.3: Traffic won't route after reboot
After 852 days of uptime I had to power down my PFSense firewall machine. We had a power outage today that lasted about 30 minutes longer than I had UPS power so I took the opportunity to shut it down cleanly rather than hard-power it off.
I noticed after bringing it back online a few hours later that traffic would not route from my Wireless Network to the WAN Interface. In looking at the NAT and Firewll rules, everything seemed in order. Fortunately I was able to find a solution.
References:
- pfsense website [pfsense.org]
About
I use pfsense as a replacement for the 'router' that comes built into my D-Link DIR-655 Wireless Access Point. The routers that come built into consumer networking equipment tends to be a joke and unreliable. After dealing with unexpected routing issues for a few months I decided to upgrade to something a bit more hearty: A $299 Dell T210 server loaded with NICs running pfsense. To say that this psense setup has been reliable would be an understatement. For 852 days this router box has dramatically improved out household internet experience.
Here's photographic evidence of the reported uptime (name changed to protect the innocent):
Troubleshooting
With so many days of reliable service under its belt, it came as a surprise to find that I wasn't able to connect to the internet from my home network after I powered the box back on. After reviewing the NAT rules and then the corresponding Firewall rules, I found everything to be in order. In pfsense v1.2.3 it is the firewall component that determines what traffic can flow between network interfaces. Since I had a rule setup to allow internet traffic on common ports (that had been working for over 800 days), it was puzzling to see traffic get blocked.
After validating the connection rules I checked the system logs (Status -> System logs from the web management console) and found a couple of oddities:
Jan 27 13:34:46 |
php: : There were error(s) loading the rules: /tmp/rules.debug:185: rule label too long (max 63 chars) pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [185]: pass in quick on $wan reply-to (em0 92.231.6.1) proto tcp from any to { 10.5.0.14 } port = 80 keep state label "USER_RULE: NAT rule list management system for PROJECT (maildude)" |
Jan 27 13:34:46 |
php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:185: rule label too long (max 63 chars) pfctl: Syntax error in config file: pf rules not loaded The line in question reads [185]: pass in quick on $wan reply-to (em0 92.231.6.1) proto tcp from any to { 10.5.0.14 } port = 80 keep state label "USER_RULE: NAT rule list management system for PROJECT (maildude)" |
Looks like some firewall rules that I had started playing around with a few months ago were causing the problem. I hadn't noticed the problem since I hadn't ever had cause to reboot the box.
The moral of the story: Check the logs when there are strange connection problems.