I'm not seeking help but rather thought I'd share an experience we had last week which has caused quite a hit on the confidence levels of pfSense.
I tried to find where it may of been human error but seen no evidence of such. Happy to upload logs to any member of the team should they care to investigate for their own reasons. We have pfsense with 5 zones connected to the internet via gigabit, all physical interfaces. From time to time we'll saturate the line for days at a time, keeping pfsense busy (media co). Zones: Inside Outside WiFi DMZ1 DMZ2 The zone of concern is the WiFI zone. Its rule set is very simple. 1. Allow from wifi to inside webmail server on port 443/80. 2. Block all from wifi to inside any any. 3. Allow from wifi to internet any any. This was tested when the policy was put into place last winter and functioned as expected. Fast forward, 140 days up-time at this point. Helpdesk staff informs me people on the wifi are able to mount internal CIFS shares and browse internal web resources. I look at it, verify this is the case using tcpdump on the wifi interface. look at the rules, disable and re-enable them, nothing changes. There is an update waiting to be applied. We apply the update and reboot. (in hind sight, wish we didn't but were getting the "fix asap!!" message) when it comes up again, all is back to "normal". Policy is being respected. It seems as if at some point the policy stopped working, even a flip/flop of the rule set didn't help. No one has made changes in that zone since the device was deployed. As you can imagine this is a cause of huge concern for us. I've been using pfSense for about 11 years and this was quite the blow.. I hope it was something we did, but I can't think of how things could become so broken that disabling the rule then re enabling it did nothing to correct... Has anyone else experienced policy 'failing' after a period of time? take care, greg _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
