"This Firewall" not working as expected in HA (High Availability)

chiel

Hello,

I have a two pfsense systems working in HA. both have public IP addressing on the WAN, and also on the LAN. They share a IP using CARP on both interfaces.

I have a allow rule in both directions to allow for traffic the to the LAN net (public IP's). So people on the LAN can do whatever they like with their public address.

Now I have a floating rule to block access to the management interfaces (webgui / ssh). I configured the rule with a destination of "This Firewall".

The problem is that on the backup firewall the public IP's on the LAN interface are still open (webgui / ssh) to the world. On the primary its blocked like I would expect.

The IP range of the LAN network is routed to the CARP WAN interface.

Why isn't this Floating rule to "This Firewall" working is I would expect on the backup pfsense?

viragomann

@chiel
This is a known issue and was already discussed here.

The alias "This firewall" covers only the IPs of the respective firewall, not these ones of the other node.
So if you try to connect to the WAN IP of the backup from inside your network, the packets go out through the master, since this is the default gateway, and are accepted by the backup if access is allowed on WAN, which should not be the case anyway.

To cover also the other node, block access to "WAN net" on the LAN interface.