Floating rule to allow ICMP on all interfaces
-
pfSense 2.1.3
I noticed an issue when trying to add a floating rule to 'accept ICMP' (which I want to do for all WAN interfaces). The ICMP packets are always returned via WAN1, even if I specifically ping WAN2. The result is that when pinging WAN2, I get 100% packet loss unless I manually add the 'pass' ICMP rule to the WAN2 interface rules.
Here's how the rule looks…
Is this a bug or am I just 'doing it wrong' ?
thanksedit: looking back it looks like this is an 'old' problem, not sure if it was ever resolved? (see below)
https://forum.pfsense.org/index.php?topic=39077.0
https://redmine.pfsense.org/issues/1697 -
I also tried setting up an interface group and adding WAN1 + WAN2 to it, then creating an 'allow icmp' rule for that Interface Group
That did not work either. I can still only ping the WAN1 interface. >:( -
You cannot use groups or floating rules for a proper multi-wan setup.
When you put a rule on WAN1 or WAN2 interface, assuming those interfaces have a proper gateway setup, the rules get tagged with reply-to so that pf tags the connection and it will send the reply packets back via that interface's gateway.
Floating rules and interface group rules act on multiple interfaces and there is no way for pf to properly tag the return traffic so that it goes back via the expected gateway. Thus, you only get a proper reply via the WAN with the default gateway.
-
You cannot use groups or floating rules for a proper multi-wan setup.
Ok - good to know!! (is that documented somewhere? it would have saved quite a lot of hair-pulling!)
So is there any method (short of just duplicating every rule for every WAN interface) for keeping rulesets under control & minimizing errors? For example I always want all uplinks to have certain port forwards, and to pass traffic for certain built in services e.g. icmp, ssh. With 3 or 4 Uplinks this gets unwieldy (even with 2)
thank you
-
Ok - good to know!! (is that documented somewhere? it would have saved quite a lot of hair-pulling!)
It's in the book, I think it's on the wiki somewhere but I can't remember at the moment.
So is there any method (short of just duplicating every rule for every WAN interface) for keeping rulesets under control & minimizing errors? For example I always want all uplinks to have certain port forwards, and to pass traffic for certain built in services e.g. icmp, ssh. With 3 or 4 Uplinks this gets unwieldy (even with 2)
For internal interfaces, groups or floating work fine, but not for WANs. There currently isn't a way to summarize WAN rules and keep the expected reply-to behavior.
-
Okay, thank you for the clarification. So just to be sure, the correct way to enable ICMP replies for e.g. WAN1 + WAN2 in a multi-WAN setup would be to create individual/identical PASS rules on each interface. And this also applies to NAT/port forward rules I assume? So if I have a service hosted on the LAN at port 34567 I would need to create duplicate rules on WAN1+WAN2 for this?
-
Yes.
-
Does this still apply as of 2.2.2? Floating rules still don't apply to multiple WAN ifs?
-
Yes. It's the same. It's not a bug that can be fixed, it's that the two concepts are not compatible (blanket rules for multiple interfaces can't have interface-specific reply-to actions)
-
Ok thanks, I figured that was the case, just thought maybe there was some magic that might have allowed this to work given the huge changes in going to FreeBSD 10.