Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simple match on wan not working for inbound traffic

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 1 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      wbw
      last edited by

      Hey everyone,

      Using the GUI, I've created a single simple floating match rule to test how pfsense matches packets on the wan interface.  I made sure to set "State Type" to "none"

      From /tmp/rules.debug:
      match log  on {  vr1  }  from any to any  label "USER_RULE: TEST MATCH FLOAT WAN"

      Then I monitor pflog0 and I only see "match out" on vr1. I don't see any "match in".

      If I ping an external host, I only see the first outgoing icmp request
      00:00:28.610961 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123 > 4.2.2.2: ICMP echo request, id 56714, seq 0, length 64

      For other traffic:
      00:00:00.002784 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51261 > 74.125.65.157.80: [|tcp]
      00:00:00.004398 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.55205 > 192.168.0.1.53: [|domain]
      00:00:00.169822 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51262 > 207.246.126.16.80: [|tcp]
      00:00:00.000131 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51263 > 207.246.126.16.80: [|tcp]
      00:00:00.000192 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51264 > 184.51.207.110.80: [|tcp]
      00:00:00.000141 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51265 > 184.51.207.110.80: [|tcp]
      00:00:00.106406 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51266 > 74.125.159.120.443: [|tcp]
      00:00:00.069077 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.58225 > 192.168.0.1.53: [|domain]
      00:00:00.068972 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51267 > 204.11.51.34.80: [|tcp]

      Any ideas on how I can match an incoming packet on a specific interface?

      I'm using:
      2.0-RC3 (i386)  built on Thu Aug 18 00:28:50 EDT 2011
      Netgate ALIX.2D3/2D13

      1 Reply Last reply Reply Quote 0
      • W Offline
        wbw
        last edited by

        Okay so after some more testing, this appears as though it is state related.  I will see a "in on vr1" only when a new connection arrives on the vr1 interface.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.