WAN interface address alias is not working in rules
-
I just installed pfSense 22.05 from scratch and now I am trying to make leaking protection rule for VPN tunnel, but having hard time to get it work.
I have narrowed problem down to interface address/net alias (automated entry in firewall rule source/destination drop down menu). This is WAN interface from OOB and I have not touch NAT settings yet.
If I just select either interface address or net as a source, no traffic going to hit that rule. I can see in firewall log that source is interface IP. If I manually enter interface IP it works. I have checked that interface status page is showing right IP address also.
WAN interface have dynamic IP and DDNS feels overkill solution to tacle this.
I have made workaround with alias which include every VPN interface IP's and in rule I have source inverted match for this alias.
Workaround works fine, but is this working like it should? Can I see somehow what IP does that address alias really have?
Same problem occur when I try to make traffic shaping as instructed here: https://docs.netgate.com/pfense/en/latest/recipes/codel-limiters.html
I have tried it with this very basic rule (no advanced settings):
-
What do you expect that rule to do? Block all outbound traffic from WAN1?
https://docs.netgate.com/pfsense/en/latest/nat/process-order.html
Steve
-
@mixka Maybe don't do everything at once and learn the basics first.
-
Rule is just simplified example. But yes, I expect that to block (reject) outbound NAT traffic (which use WAN1 as gateway) from WAN1.
And as a referance I have used these:
https://docs.netgate.com/pfsense/en/latest/nat/process-order.html#firewall-nat-processing-order-example
https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html#direction
https://docs.netgate.com/pfsense/en/latest/recipes/codel-limiters.html#create-floating-ruleI try to cover most of "everything" because it is going to be drop-in replacement for old box.
If that was basic user error, then please, enlight me :)
-
So if you replace 'WAN1 address' with the actual IP address or an alias containing that IP it does block the traffic as expected?
That seems very similar to another thread.....
-
@stephenw10 said in WAN interface address alias is not working in rules:
That seems very similar to another thread.....
Yeah - was thinking the same thing, something to do with interface names or something. He had imported config from a different device and changed the names but there was some sort of disconnect there that not allowing the aliases like optX net to work..
here is that thread
https://forum.netgate.com/topic/173608/pfsense-not-propagating-system-aliases-lanx-net-lanx-address -
Ah, yes! That was it.
Any chance you did something similar here @Mixka? -
Well... As said, I installed pfSense from scratch (did not restored any old config), BUT indeed, I manually changed interface names from config file.
First thing what I did to vanilla config was that I made two WAN ports. WAN1 was named as WAN and WAN2 was named as LAN, so I exported that config and replaced WAN and LAN as WAN1 and WAN2 under interface and restored that back to pfSense. That was only thing what I have done manually to config file. Everything else is made via web GUI.
I did search in config file that is there any other references to these ports, but there was none.
<interfaces> <wan1> <enable></enable> <if>igb0</if> <blockpriv></blockpriv> <blockbogons></blockbogons> <descr><![CDATA[WAN1]]></descr> <ipaddr>dhcp</ipaddr> ... </wan1> <wan2> <enable></enable> <if>igb1</if> <blockpriv></blockpriv> <blockbogons></blockbogons> <descr><![CDATA[WAN2]]></descr> <ipaddr>dhcp</ipaddr> ... </wan2> </interfaces> -
Ah, OK, that will do it.
I opened a report to track that issue in the other thread but as I predicted it was rejected because that's not expected to work: https://redmine.pfsense.org/issues/13376
It interesting that it doesn't whilst everything else seems to work fine but the backend interface names in the config should not be changed. The interface description can be changed which is what the GUI displays.Steve
-
Oh damn... I already have made quite complex setup on top of that. And I think it is beyond fixable. Manually changing now everything back in config file is nightmare.
And yes, description is what most part of pfSense web GUI is showing to user, but for example in VLAN config there is only interface name and tag showing. No description at all.
I expect that is case in somewhere else too. That is why I did change that tag in first place. It would be really missleading to see WAN2 as LAN.
-
@mixka said in WAN interface address alias is not working in rules:
but for example in VLAN config there is only interface name and tag showing. No description at all.
Huh? Not following, once you assign a vlan to can for sure have it show up as different name.
So for example if I add a new vlan, give it a description and then once assigned I can then name that OptX interface whatever you want by editing its description.
-
Mmm, the point of the backend interface tags is that they are independent of the actual NICs and interface 'Names'. That allows you to re-assign or rename an interface and keeps all the same rules etc referencing it.
Now in retrospect it might have been better to use, for example, int0..int1 etc. I believe that was inherited from m0n0wall.
Whilst it's sometimes easier to edit the config directly it's not expected that the average user will ever do that.Steve
-
@johnpoz said in WAN interface address alias is not working in rules:
@mixka said in WAN interface address alias is not working in rules:
but for example in VLAN config there is only interface name and tag showing. No description at all.
Huh? Not following, once you assign a vlan to can for sure have it show up as different name.
...I can see same "problem" in your screenshots too.
Yes, you can assign as good descriptions you want, but for example when selecting interface for VLAN you can just see name and tag.
I know that it is just visual and does not change how things work, but at least for my OCD brains it hurts a little to select "LAN" interface for WAN connection. Like strange feeling that under the hood something is not "right". At least it is confusing.
Or maybe I am alone with this and just need to book therapist :D
![2022-08-25 18_46_14-Interfaces_ WAN2 (igb1) - fw.home.lan and 5 more pages - [InPrivate] - Microsoft.png](/assets/uploads/files/1661443760499-2022-08-25-18_46_14-interfaces_-wan2-igb1-fw.home.lan-and-5-more-pages-inprivate-microsoft.png)
![2022-08-25 18_49_19-Interfaces_ VLANs_ Edit - fw.home.lan and 5 more pages - [InPrivate] - Microsoft.png](/assets/uploads/files/1661443739102-2022-08-25-18_49_19-interfaces_-vlans_-edit-fw.home.lan-and-5-more-pages-inprivate-microsoft.png)
![2022-08-25 18_59_55-Interfaces_ Interface Assignments - fw.home.lan and 5 more pages - [InPrivate] -.png](/assets/uploads/files/1661443766071-2022-08-25-18_59_55-interfaces_-interface-assignments-fw.home.lan-and-5-more-pages-inprivate.png)
-
@mixka said in WAN interface address alias is not working in rules:
it hurts a little to select "LAN" interface for WAN connection.
I personally would of never used that interface.. Would of just used a different interface. And used lan for something on the lan side of your network.
But you can change the lan description as well.
-
@johnpoz said in WAN interface address alias is not working in rules:
I personally would of never used that interface.. Would of just used a different interface. And used lan for something on the lan side of your network.
It is way more convinient that WAN interfaces are next to each others. Or is it possible to change physical interface to interface? I know it is possible in config file, but would it broke something? And is it possible to rearrange interface tags under config file?
@johnpoz said in WAN interface address alias is not working in rules:
But you can change the lan description as well.
As I have done (WAN2), but in VLAN parent interface selection still shows "lan" (and only that).
-
Mmm, that's true it does show the internal interface name there.
That could probably be switched. You could open a feature request if there isn't one already.
https://redmine.pfsense.org/ -
@mixka said in WAN interface address alias is not working in rules:
As I have done (WAN2), but in VLAN parent interface selection still shows "lan" (and only that).
Ah I get what your saying now. Even though I changed my Lan name description, if I go to add a vlan it still shows lan on there.
Yeah that could prob be changed, put in a feature request prob be best option there.
But it doesn't only show that it clearly shows the actual interface does it not, for example mine is igb0
-
-
@johnpoz said in WAN interface address alias is not working in rules:
it clearly shows the actual interface
Yes, but it is not friendly name or something that user can change without breaking something.
Do you guys know would it break something when physical interface name is changed in config file?
<interfaces> <wan> <if>igb0</if> <descr><![CDATA[WAN1]]></descr> ... </wan> <lan> <if>igb2</if> <descr><![CDATA[LAN]]></descr> ... </lan> <opt1> <if>igb1</if> <descr><![CDATA[WAN2]]></descr> ... </opt1> </interfaces>And what about re-arrange interface tags?
<interfaces> <wan> <if>igb0</if> <descr><![CDATA[WAN1]]></descr> ... </wan> <opt1> <if>igb1</if> <descr><![CDATA[WAN2]]></descr> ... </opt1> <lan> <if>igb2</if> <descr><![CDATA[LAN]]></descr> ... </lan> </interfaces> -
The xml there is identical. The order doesn't matter for assigning the interfaces.
