Simple match on wan not working for inbound traffic
-
Hey everyone,
Using the GUI, I've created a single simple floating match rule to test how pfsense matches packets on the wan interface. I made sure to set "State Type" to "none"
From /tmp/rules.debug:
match log on { vr1 } from any to any label "USER_RULE: TEST MATCH FLOAT WAN"Then I monitor pflog0 and I only see "match out" on vr1. I don't see any "match in".
If I ping an external host, I only see the first outgoing icmp request
00:00:28.610961 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123 > 4.2.2.2: ICMP echo request, id 56714, seq 0, length 64For other traffic:
00:00:00.002784 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51261 > 74.125.65.157.80: [|tcp]
00:00:00.004398 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.55205 > 192.168.0.1.53: [|domain]
00:00:00.169822 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51262 > 207.246.126.16.80: [|tcp]
00:00:00.000131 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51263 > 207.246.126.16.80: [|tcp]
00:00:00.000192 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51264 > 184.51.207.110.80: [|tcp]
00:00:00.000141 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51265 > 184.51.207.110.80: [|tcp]
00:00:00.106406 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51266 > 74.125.159.120.443: [|tcp]
00:00:00.069077 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.58225 > 192.168.0.1.53: [|domain]
00:00:00.068972 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51267 > 204.11.51.34.80: [|tcp]Any ideas on how I can match an incoming packet on a specific interface?
I'm using:
2.0-RC3 (i386) built on Thu Aug 18 00:28:50 EDT 2011
Netgate ALIX.2D3/2D13 -
Okay so after some more testing, this appears as though it is state related. I will see a "in on vr1" only when a new connection arrives on the vr1 interface.