At some point, there will be a situation where your firewall rules aren't doing what you think they should be doing, and our firewall troubleshooting skills are put to the test. The first step is to diagnose the problem (for example, nodes on the DEVELOPERS network cannot access the internet). If we can easily identify the interface or interfaces which are affected, then we can focus on that interface's ruleset.
It is probably a good idea to check the Floating Rules tab first, since floating rules take precedence over rules for an individual interface, and if the problem is a misconfigured floating rule, then we can save a lot of time that we otherwise would spend double-checking an interface's ruleset. If you are running a proxy server on your firewall, you may want to check the settings on that, since a proxy server's allow and deny lists tend to supersede firewall rulesettings.
The next step is to check the firewall rules for the affected interfaces, keeping in mind that firewall rules are evaluated from the top down. If warranted, check the allowed/blocked protocols. For example, if a rule is set up to allow only TCP traffic to pass through to an interface, a video streaming client that uses UDP will not work.
A good way of finding out whether a Pass rule is effective is to look at the rules table and check the States column (the leftmost column). This column indicates the number of current states created, as well as the total amount of data that has passed through the firewall, as a result of traffic matching this rule. If you hover your mouse over this column, you will see even more information. If the rule has been enabled for some time and no data is passing in connection with the rule, then there is a good chance the rule is either misconfigured, or the traffic matches another rule before it gets to this rule.
pfSense makes it easy to disable and enable rules, and you should take advantage of this in your troubleshooting. Sometimes the easiest way to troubleshoot rules is to disable one or more rules, take note of network behavior after the rules are disabled, and then re-enable the rules one at a time, taking note of any network changes as you do so. This should help you pinpoint the rule or rules that are causing the problem, and bring you one step closer to solving the issue.
If you still cannot figure out what the problem is, it might be a good idea to enable logging for the rules you suspect may be causing the problem. This is usually not recommended, as enabling logging for rules tends to quickly use up disk space, but sometimes looking at the logs can be helpful. Once you have enabled logging for the rules, navigate to Status | System Logs and click on the Firewall tab. You can use the filtering options at the top of the page to help focus on the relevant log entries.
If logging doesn't provide enough information about the source of the problem, you might consider using tcpdump, a command-line utility including with pfSense. tcpdump is a packet analyzer usable which prints the contents of network packets. It is extremely useful, albeit somewhat difficult to use at first. It is beyond the scope of this chapter to provide a tutorial on tcpdump, but you should be aware that it is available. We will cover tcpdump in greater depth in the final chapter.
If you have made a recent change to the firewall rules, and some traffic is getting through that seems to violate the firewall rules, it is possible that the state table entries for the connections pre-date the rule change. Therefore, if you want the connections to be dropped, you will have to reset the state table. To do this, navigate to Diagnostics | States and click on the Reset States tab. Click on the Reset button, which will remove all entries from the state table. This will also reset any active connections, so take that into account.