News: This forum is now permanently frozen.
Pages: [1]
Topic: Anti-spoofing rules blocking traffic  (Read 281 times)
« on: January 02, 2015, 14:40:51 »
mx1 *
Posts: 1


I've just setup my first m0n0wall and bumped into following issue:

m0n0 is connected to the Internet (WAN interface) and there are multiple networks behind it. One of the networks ( is connected on interface OPT1, and is a router. Behind this router is a network with public addresses (x.x.x.x/26). I've added static route on OPT1 interface for the x.x.x.x/26 network with the as the gateway. I've added the pass any/x.x.x.x rule on the WAN interface. The problem is that when traffic enters from the Internet it gets blocked by the default antispoofing rule on the OPT1 interface. Here is an example of how logs look like:

Jan  2 14:19:49 xxxx ipmon[129]: 14:19:48.905723 em0 @200:23 p 83.x.x.x -> X.X.X.1 PR icmp len 20 60 icmp echo/0 K-S IN
Jan  2 14:19:49 xxxx ipmon[129]: 14:19:48.906079 em2 @0:19 b 83.x.x.x -> X.X.X.1 PR icmp len 20 60 icmp echo/0 IN

As you can see the traffic enters on WAN interface (em0) and gets routed through OPT1 but is blocked by rule @0:19, which is default anti-spoof:
@19 block in log quick on em2 all

For me the one thing that is clearly wrong is the direction of traffic - at em2 it should be "OUT" not "IN". I suppose that the issue arises from the fact that x.x.x.x is a public network so everything public is treated as IN.
Any ideas how to fix it beside somehow disabling anti-spoofing?


Pages: [1]
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines