Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Where to add VIP interface rule ?

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    3
    6
    528
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      huud
      last edited by

      Hi,

      I have setup VIP (10.10.13.1), FW1 (10.10.13.2 | Sub-Interface (VLAN13_Servers), FW2 (10.10.13.3 | Sub-Interface VLAN13_Servers).

      I have set a reject any IPv4 rule on this Sub-Interface of FW1, and shutdown FW2 for testing.

      Parent interface 1_Management_Trunk of Sub-Interface VLAN13_Servers is also added with a reject all IPv4 rule.

      I have 2 VMs, 1 in 192.168.13.0/24 and other in 10.10.13.0/24 communicating with each other even with a reject rule.

      I found out that if I disable the VIP (10.10.13.1 in FW1) the pings between the 2 VMs stops. So I'm understanding that this is because gateway of the VM in 10.10.13.0/24 network is set as 10.0.13.1 (VIP).

      At this point I'm lost as to which interface to apply the block rule for traffic going through VIP gateway ?

      Any thoughts ?

      Thank You

      S H 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @huud
        last edited by

        @huud rules are processed in order on the interface on which the packet arrives.

        If adding block rules ensure there are no existing/open states that would allow the traffic.
        https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-table

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • H
          huud @huud
          last edited by huud

          @SteveITS Thanks for clarifying that.

          I can understand about the states now, but I could not understand in my case where a VIP is added on a VLAN Sub-Interface, will a block rule be added to the Parent or the VLAN Sub-Interface for the rule to take effect because I'm unable to understand where is the VIP interface ?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @huud
            last edited by

            @huud
            No, a VLAN interface is completely independent from the parent interface.

            Basically pfSense blocks any traffic and you need to add rule to allow something.

            So you have already cleared the states?

            Consider the Rule Processing Order in pfSense.
            If you have floating pass rules or rules on an interface group, which the concerned interface is a member of, these have higher priority.

            H 1 Reply Last reply Reply Quote 0
            • H
              huud @viragomann
              last edited by

              @viragomann

              I have only 1 rule which is block all IPv4 rule which is active on both Parent and VLAN Sub-Interface.

              There is no floating rule added.

              Even after clearing the states table the VM in 10 network is accessible.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @huud
                last edited by

                @huud
                Try Status > Filter Reload.
                Had a similar issue yesterday as I had a pass rule removed before, and this solved it.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post