I am tearing my hair out here.
Going right back to the basic troubleshooting and not even documenting
the end goal... I have a m0n0 with OPT1 interface which is attached to
an ADSL router on a /30. I can ping out of it fine, setting a static
route to a host to make sure it goes out of the right interface. I can
ping the IP of the ADSL router from other hosts. However, no matter
what rules I set up, I always see it blocked in the firewall log. I
have a rule on WAN to let everything pass to OPT1 subnet (as suggested
ages ago to get it to work as an IPSEC VPN endpoint).
I have used several rules, individually and combined, on OPT1 to let
everything through, to let ICMP through the IP of OPT1 and several other
attempts. I have moved these rules to the WAN interface where they do
exactly as I expect, moving them back to OPT1 has absolutely no effect -
any traffic I want to be dealt with on OPT1 is just blocked.
I know it's the default rule doing this because when I tell the logs to
stop logging stuff blocked by the default rule, they stop appearing...
I already have another m0n0 doing exactly this role which works fine and
the configs seem identical (hardware aside).
If anybody has any ideas or knows of any bugs in the rule ordering and
knows how to get around this, please help me, I'm absolutely baffled!