pfSense redirecting traffic from `192.0.0.0/8` to LAN on every interface, no idea why
-
Looking through all the rules I have set, none of them reference
192.0.0.0in any way, but at the very end of the firewall rules I find@164 rdr on pkg_tinc inet proto udp from any to <public IP, Redacted> port = 32400 tag PFREFLECT -> 127.0.0.1 port 19000 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 40131 State Creations: 0 ] [ Last Active Time: N/A ] @165 rdr on bge0 inet from any to 192.0.0.0/8 -> 10.0.0.0/8 bitmask [ Evaluations: 229132 Packets: 5756 Bytes: 369505 States: 1202 ] [ Inserted: uid 0 pid 40131 State Creations: 1745 ] [ Last Active Time: N/A ] @166 rdr on gif0 inet from any to 192.0.0.0/8 -> 10.0.0.0/8 bitmask [ Evaluations: 38971 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 40131 State Creations: 0 ] [ Last Active Time: N/A ] @167 rdr on WireGuard inet from any to 192.0.0.0/8 -> 10.0.0.0/8 bitmask [ Evaluations: 38971 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 40131 State Creations: 0 ] [ Last Active Time: N/A ] @168 rdr on pkg_tinc inet from any to 192.0.0.0/8 -> 10.0.0.0/8 bitmask [ Evaluations: 38970 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 40131 State Creations: 0 ] [ Last Active Time: N/A ] @0 binat on tun_wg0 inet from 10.0.0.0/8 to any -> 192.0.0.0/8 [ Evaluations: 474029 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 40131 State Creations: 0 ] [ Last Active Time: N/A ]This means I can't get to any actual site on the internet in the 192.x block. The 32400 port forward is the last one of my defined rules, and this block of rules appears to be being added after that. It persists after a restart, and I have no idea where it's coming from.
-
@Anaerin
It looks like the issue is Wireguard. Disabling Wireguard, removing it's interface, tunnel and peers removes the rules.Quite why Wireguard is grabbing the wrong subnet for the VPN subnet and redirecting it to the local net is an issue.