Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    All trafic with changed gateway

    Firewalling
    3
    5
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      martijnr17
      last edited by

      I'm using pfsense now for a few days.
      I've a multiple wan interfaces en lan interfaces.

      I've made a group WanGroep with the 2 wan interfaces. There is a firewall rule that allows NTP traffic from wlan to * with the gateway wangroep instead of the default gateway.
      As soon as I change the gateway to wangroep instead of default all tcp trafic is allowed from wlan to anywhere on any port instead of the allowed port.

      pfsense1.png
      pfsense1.png_thumb

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        When I add a rule like that, on a 2.1-RC1 system, /tmp/rules.debug gets this added:

        pass  in  quick  on $LAN1 inet proto tcp  from any  to <negate_networks> flags S/SA keep state  label "NEGATE_ROUTE: Negate policy routing for destination"
pass  in  quick  on $LAN1  $GWNTPGWG inet proto tcp  from any to any port 123 flags S/SA keep state  label "USER_RULE: Test NTP"</negate_networks>

        <negate_networks>is a list of networks I have defined in OpenVPN. I guess the code tries to protect those OpenVPN-defined networks (whose routes are already "fixed" on OpenVPN connections) from being re-routed by a policy-based rule into a gateway group that may not go somewhere successful.
        The problem I see is that the first rule does not specify "port 123" - so it opens up access for all ports from $LAN1 to <negate_networks>(the OpenVPN-reachable stuff).
        Seems like a bug, that first rule should have a "port" spec in it the same as the 2nd rule?

        Edit: I added an issue in RedMine: http://redmine.pfsense.org/issues/3173</negate_networks></negate_networks>

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • M
          martijnr17
          last edited by

          Thank you, good to hear that it is a bug. I was already getting crazy.

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            This should be fixed on latest snapshots.

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              The changes to filter.inc did not make:
              2.1-RC1 (i386)
              built on Tue Sep 3 14:08:44 EDT 2013

              They will appear in the snapshot after the above.
              I copied the new /etc/inc/filter.inc manually, and it is working. Sample test rule output from /tmp/rules.debug :

              pass  in  quick  on $LAN inet proto tcp  from 10.49.80.99  to <negate_networks>  port 123 flags S/SA keep state  label "NEGATE_ROUTE: Negate policy routing for destination"
pass  in  quick  on $LAN  $GWWiMax_Priority inet proto tcp  from 10.49.80.99 to any port 123 flags S/SA keep state  label "USER_RULE: Testing only zzzz"</negate_networks>

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.