Multi WAN - Multi VLAN - LoadBalancer
-
Hmm, that's what I thought. Having just disabled all my rules except that pointing the the loadbalacing gateway I am still able to access other local subnets, even after reseting the state table.
Thanks for replying I felt like I was loosing my mind. I didn't just imagine that then?Steve
-
@stephenw10: So you are actually having the same result like me, right? That you are able to connect to other subnets, even when you shouldn't be able to?
Cheers,
Szop -
i just checked at home (running 2.1 build from a couple of weeks ago)
i have 1WAN but it's connect to once of my work sites over ovpn. (+- 10 remote subnets)When specifying a gateway and reset states, i'm unable to access the remote subnets.
What i did notice:
while running ping and hitting 'reset states' does not terminate the connection (ie ping continues)
When stopping the ping, then hitting 'reset states' , i'm unable to restart the ping succesfully (ie dropped by pfsense)kind regards
-
@stephenw10: So you are actually having the same result like me, right? That you are able to connect to other subnets, even when you shouldn't be able to?
It seems that way yes. I'm just checking my test method.
I notice that you are using 2.1 while I have 2.0.1. Not sure what if any baring that may have here.Steve
-
I distinctly remember being caught out by this when I first moved to a multiwan setup.
The problem was difficult to diagnose because it's a routing problem so it doesn't show up in the firewall logs.
Was this something that changed between 2.0 and 2.0.1, perhaps:Fixed handling of routing with unmonitored gateways
@heper what was the response to the pings with a specified gateway? No route to host?
You have a slightly different situation because of the VPN addition. Presumably you have static routes in place to the remote subnets?Steve
-
no static routes … quagga handles routing.
uhm i'm at the office and can now confirm your observations ...
also while pinging to a subnet i shouldn't be able to ping to:
@102 pass in log quick on em2_vlan30 from any to <negate_networks:11> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"</negate_networks:11>
i'm pretty sure this is the cause for what's happening.
see relevant post: http://forum.pfsense.org/index.php/topic,48143.0/topicseen.html -
Hmm.
Heper I think you've nailed it there.
@http://redmine.pfsense.org/issues/2367:
The fact the negate policy routing rule isn't shown is bad as it has lead to unintended consequences (ends up passing traffic people don't realize is passed because it's hidden). They should be shown as a grayed out auto-added rule, similar to block private/bogon.
So there is a hidden rule that passes traffic without telling you! :o
In 2.1 there is an option to disable that rule in System: Advanced:. Szop, since you are using 2.1 you can do that.
I hope this makes it into 2.0.2 if it's released before 2.1. Time to rewrite my rules. ;)
Edit: Where/how are you seeing the Negate route rule logged?
Steve -
Thanks guys!
I'll try this out as fast as I can!
Cheers,
Szop -
i enabled logging on a rule at the bottom of the ruleset on one of the vlan tabs (any->any|gw:WAN1)
then in logs they suddenly showed up as pass rules (clicking on the green arrow thingy showed the negate stuff)
-
Ah! So it's actually being caught by the existing rule but ignoring the gateway since the destination is in the negate_networks table.
If you're at your 2.1 machine maybe you can confirm the option to disable negating.Steve
-
Hey guys,
thanks for clearing things up and helping me out! I owe you one :)! I can confirm that after activating the "negate policy routing" disabled all access from VLAN's to VLAN's. This is what I was looking for. Now I'll need to modifiy my rules and set up the gateways :).
Cheers,
Szop -
Ah good to know and thanks for confirming. :)
What would be useful would be to be able use some of the system "aliases" in firewall rules. For example use Private_networks or Negate_networks. As it is I have an alias I setup myself, LOCAL, but I have to remember to update it if I change anything and it doesn't include the WAN IP (though could it?). Negate_networks does that automagically.Steve