-
@jimp
Question Jim. Because this bit me and a few others would it be reasonable to make an exception for IPsec traffic flows and a note in the webUI or documentation about this and to change at the admins own risk?
So the IPsec interfaces with VTI get the floating policy state change only. -
The ideal solution here is to fix the IPSec pfil handling so traffic is filtered on the same interfaces in and out as expected. We are looking at that (again) but the work there is non-trivial!
-
If fixing the OS level issues doesn't work out we might consider an option for automatically handling the floating policy rules for VTI but we're hoping to avoid that if possible.
-
Hi all,
So from my understanding, please correct me if I'm wrong, if I would maintain the option for Interface Bound, I would add a rule to the Floating rules on the IPsec interface as described in Rules with Floating Policy Set ?
-
Yes exactly.
-
perfect thank you I will test today and tell how it goes.
-
Ok so I was able to reboot the router and booted into 24.03
I've added the rule as described to the IPsec interface on the floating rules, put it on top of any other IPsec rules and so far my connections seem to be stable, been testing for over 5 minutes both terminal and RDP.
Next week I'll be able to test further. Have a nice weekend you all
-
@maverickws I had this issue today... looks like adding advanced rule options for floating states on the ipsec rules and a floating outbound one too as per the docs does the trick
-
@danjeman howdy.
I only added one floating rule, what you mean by two rules? -
If you need to create connections across the tunnel in both directions you need a floating outbound rule with floating state binding set to allow the replies. It's shown in the doc there now.
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-statesSo you might only add one floating rule and edit the existing IPSec rule. Two rules are needed if none existed.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.