Not the first core update to break it, but usually just disabling and re-enabling blue->green rules will fix it. Devices will now connect to green from blue after doing this but something else is wrong this time. IPF is blocking samba connections between the two. Four devices and all now fail to connect to samba shares when connected to blue network. All still connect fine to same shares via ssh/sftp and connect via samba when connected through VPN. So, the issues is definitely only with samaba and from blue to green. Any ideas on this?
Also lost the ability to loop back when accessing the WUI from within the network. No problem if by IP, but by domain name it fails.
On the first issue no, I did not reboot after changing the rule. Seems silly to have to reboot after a minor rule change, but I will give it a try later today.
For the second issue, this is from any zone inside the network, blue or green. Blue is fine, that’s the way it should be, but not green. Also not working on select devices that allow blue to green communication.
Well…I just tried to connect to the firewall from outside my network and it fails to connect as well by domain name. I can ping my domain and get an IP return so DNS is working, just something with IPFIRE.
Ping to the IPfire machine by hostname is successful from the IPFIRE console via SSH and a laptop on blue.
DNS is working, the appliance simply is not responding. I can probably reinstall then restore from backup. Not much of a solution though.
I finally lost all DNS resolution to the firewall and even external IP access, which may have been lost after upgrade but I just never noticed it. This all forced me to look into these issues.
First thought was to re-install and restore from back, which I did, to no avail. Interesting. Now, at this point I could have restored a different backup. I store at least one backup per upgrade, but that’s really a last resort. Better to understand what happened and how it broke.
Made sure the external access firewall rule is still present and enabled. Removed the rule and added again but still no access, even by known good WAN IP. Started looking over my firewall rules which there are more than 40. Some of the rules now showed the right interface and internal IP target, but the port was gone!! IPFIRE had several rules set to forward ALL TCP traffic to one of my servers. That’s just dangerous. IPFIRE opened up ALL ports to this server. All my rules and everything really on my network is methodically catalogued. I referenced this and added the proper ports back. IP access restored. Two issues resolved, since I had already fixed the Blue Access issue.
I visited my domain hosting company and looked over things there where I came across an interesting error with my hostname not resolving. Looking into that, I found IPFIRE was not longer syncing with the site across all five records. I hadn’t changed any of these so at first I just tried re-entering the login details. Didn’t work. I then removed all the entries and added them from scratch. That worked. Okay, IPFIRE somehow corrupted all the entries on upgrade. All issues resolved. Fresh backup run and stored off the firewall per SOP.