Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VIP on Loopback breaks auto IKE 500 rule

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 341 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O Offline
      obroni
      last edited by

      I've stumbled across a little annoyance in our setup.

      We are running Quagga BGP on PFsense to advertise /32 Public IP's bound to the loopback adaptor. BGP peers over the WAN interface using a private /24. This allows us to move the pfsense's around our DC and have them automatically announce themselves. Everything is working great, but I have found one minor annoyance, creating an IPSEC tunnel no longer creates the automatically crated rule to allow IKE UDP 500 through and a manual rule needs to be created on the WAN interface.

      I have gone through the filter.inc code and believe I have found the code which is responsible for this

      https://github.com/pfsense/pfsense/blob/d08c13875483a81b6393f0127abe719e5734dea4/src/etc/inc/filter.inc#L4168-L4170

      
      			if (empty($FilterIflist[$parentinterface]['descr'])) {
      				$ipfrules .= "# Could not locate interface for IPsec: {$descr}\n";
      				continue;
      			}
      
      

      So it seems that it checks if the interface that has the VIP has a description. The loopback from what I can tell doesn't have a description and so it stops trying to add the rule.

      What would be the best way to work around this problem?
      1. Find a way to give the loopback interface a description, or will this still cause problems as the allow rule needs to be added to the WAN interface not the parent interface.
      2. Try and modify the filter generating code to correctly detect that the rule should be on the WAN interface.
      3. Just accept this is probably more complex than I realise and keep on manually creating IKE allow rules.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.