Option to disable route-to on rules generated for WAN
-
Can there be an option in the future to disable route-to for WAN rules? I see there is a 'Disable reply-to' but it would be very convenient to also have a 'Disable route-to' on the WAN also. All external gateways are on the outside WAN interface on my systems. If a route changes for our ipsec traffic I want it to immediately send the same packets over a point to point connection for backup. No states need to be killed either as the packets will just travel a different route on the WAN.
There are bunch of them in the rules that get generated. I don't want any of that traffic to stick to a gateway. If the route changes for the destination IPs involved to go through a different router on the same WAN subnet then it should send it there as packets can go either way. Again. There is only 1 WAN interface but with a point to point for backup that the ipsec traffic can take.
I replaced IPs with names to help make it clear what they are
pass out route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.166 to !WanSubnet.160/27 tracker 1000008011 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( igb0 WanGateway.161 ) from PfsenseCarp.164 to !WanSubnet.160/27 tracker 1000008012 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.167 to !WanSubnet.160/27 tracker 1000008013 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.168 to !WanSubnet.160/27 tracker 1000008014 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.169 to !WanSubnet.160/27 tracker 1000008015 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.170 to !WanSubnet.160/27 tracker 1000008016 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.171 to !WanSubnet.160/27 tracker 1000008017 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.172 to !WanSubnet.160/27 tracker 1000008018 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.188 to !WanSubnet.160/27 tracker 1000008019 keep state allow-opts label "let out anything from firewall host itself" # VPN Rules pass out route-to ( igb0 WanGateway.161 ) proto udp from (self) to IpsecVpn1.36 port = 500 tracker 1000108441 keep state label "IPsec: IpsecVpn1 - outbound isakmp" pass in on $WANIF reply-to ( igb0 WanGateway.161 ) proto udp from IpsecVpn1.36 to (self) port = 500 tracker 1000108442 keep state label "IPsec: IpsecVpn1 - inbound isakmp" pass out route-to ( igb0 WanGateway.161 ) proto esp from (self) to IpsecVpn1.36 tracker 1000108443 keep state label "IPsec: IpsecVpn1 - outbound esp proto" pass in on $WANIF reply-to ( igb0 WanGateway.161 ) proto esp from IpsecVpn1.36 to (self) tracker 1000108444 keep state label "IPsec: IpsecVpn1 - inbound esp proto" pass out route-to ( igb0 WanGateway.161 ) proto udp from (self) to IpsecVpn2.146 port = 500 tracker 1000108455 keep state label "IPsec: IpsecVpn2 - outbound isakmp" pass in on $WANIF reply-to ( igb0 WanGateway.161 ) proto udp from IpsecVpn2.146 to (self) port = 500 tracker 1000108456 keep state label "IPsec: IpsecVpn2 - inbound isakmp" pass out route-to ( igb0 WanGateway.161 ) proto esp from (self) to IpsecVpn2.146 tracker 1000108457 keep state label "IPsec: IpsecVpn2 - outbound esp proto" pass in on $WANIF reply-to ( igb0 WanGateway.161 ) proto esp from IpsecVpn2.146 to (self) tracker 1000108458 keep state label "IPsec: IpsecVpn2 - inbound esp proto" pass out route-to ( igb0 WanGateway.161 ) proto udp from (self) to IpsecVpn3.2 port = 500 tracker 1000108469 keep state label "IPsec: IpsecVpn3 - outbound isakmp" pass in on $WANIF reply-to ( igb0 WanGateway.161 ) proto udp from IpsecVpn3.2 to (self) port = 500 tracker 1000108470 keep state label "IPsec: IpsecVpn3 - inbound isakmp" pass out route-to ( igb0 WanGateway.161 ) proto esp from (self) to IpsecVpn3.2 tracker 1000108471 keep state label "IPsec: IpsecVpn3 - outbound esp proto" pass in on $WANIF reply-to ( igb0 WanGateway.161 ) proto esp from IpsecVpn3.2 to (self) tracker 1000108472 keep state label "IPsec: IpsecVpn3 - inbound esp proto" -
You can add floating rules with 'quick' checked to override those. It's extremely unusual to need to disable route-to in that case, and since you can override it with user-defined rules, there won't likely be an option added to disable that.
-
The problem is that every time I create a new VPN it creates new hidden rules that must be overridden. These are hidden rules that are not shown to the user of course. Can there be a single rule in the floating section that would negate them all?
I currently create new rules for each one listed in floating but I do not choose quick and that seems to keep the hidden rules from being used.
I do not want to allow any traffic not explicitly needed.
-
One rule will override that. Pass, interface WAN, direction out, any source, any dest, quick. That'll match before all the auto-added rules.
-
Thanks!
I just realized that reply-to is still being set on automatically generated rules for VPN traffic even though I have 'Disable reply-to' enabled in System->Advanced->Firewall & NAT (see my post above showing the rules). It appears I would need to override that too.
EDIT: It looks like my rules on the WAN interface allowing udp 500 and ESP protocol are overriding those auto-generated rules. I don't see any packet counts on those auto-generated reply-to rules.
pfctl -vsr | grep -A 2 "reply-to"
I see all packet counts at 0 "Packets: 0".