• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Where to add VIP interface rule ?

HA/CARP/VIPs
3
6
664
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H
    huud
    last edited by Mar 2, 2023, 5:52 AM

    Hi,

    I have setup VIP (10.10.13.1), FW1 (10.10.13.2 | Sub-Interface (VLAN13_Servers), FW2 (10.10.13.3 | Sub-Interface VLAN13_Servers).

    I have set a reject any IPv4 rule on this Sub-Interface of FW1, and shutdown FW2 for testing.

    Parent interface 1_Management_Trunk of Sub-Interface VLAN13_Servers is also added with a reject all IPv4 rule.

    I have 2 VMs, 1 in 192.168.13.0/24 and other in 10.10.13.0/24 communicating with each other even with a reject rule.

    I found out that if I disable the VIP (10.10.13.1 in FW1) the pings between the 2 VMs stops. So I'm understanding that this is because gateway of the VM in 10.10.13.0/24 network is set as 10.0.13.1 (VIP).

    At this point I'm lost as to which interface to apply the block rule for traffic going through VIP gateway ?

    Any thoughts ?

    Thank You

    S H 2 Replies Last reply Mar 2, 2023, 6:25 AM Reply Quote 0
    • S
      SteveITS Galactic Empire @huud
      last edited by Mar 2, 2023, 6:25 AM

      @huud rules are processed in order on the interface on which the packet arrives.

      If adding block rules ensure there are no existing/open states that would allow the traffic.
      https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-table

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote 👍 helpful posts!

      1 Reply Last reply Reply Quote 0
      • H
        huud @huud
        last edited by huud Mar 2, 2023, 10:31 AM Mar 2, 2023, 10:29 AM

        @SteveITS Thanks for clarifying that.

        I can understand about the states now, but I could not understand in my case where a VIP is added on a VLAN Sub-Interface, will a block rule be added to the Parent or the VLAN Sub-Interface for the rule to take effect because I'm unable to understand where is the VIP interface ?

        V 1 Reply Last reply Mar 2, 2023, 10:52 AM Reply Quote 0
        • V
          viragomann @huud
          last edited by Mar 2, 2023, 10:52 AM

          @huud
          No, a VLAN interface is completely independent from the parent interface.

          Basically pfSense blocks any traffic and you need to add rule to allow something.

          So you have already cleared the states?

          Consider the Rule Processing Order in pfSense.
          If you have floating pass rules or rules on an interface group, which the concerned interface is a member of, these have higher priority.

          H 1 Reply Last reply Mar 2, 2023, 10:55 AM Reply Quote 0
          • H
            huud @viragomann
            last edited by Mar 2, 2023, 10:55 AM

            @viragomann

            I have only 1 rule which is block all IPv4 rule which is active on both Parent and VLAN Sub-Interface.

            There is no floating rule added.

            Even after clearing the states table the VM in 10 network is accessible.

            V 1 Reply Last reply Mar 2, 2023, 11:02 AM Reply Quote 0
            • V
              viragomann @huud
              last edited by Mar 2, 2023, 11:02 AM

              @huud
              Try Status > Filter Reload.
              Had a similar issue yesterday as I had a pass rule removed before, and this solved it.

              1 Reply Last reply Reply Quote 0
              4 out of 6
              • First post
                4/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.