Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense bypasses firewall rule

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thenmanbr
      last edited by

      yes

      1 Reply Last reply Reply Quote 0
      • chpalmerC
        chpalmer
        last edited by

        If the connection is active when you hit save you may have to flush your states to take down the connection..

        Triggering snowflakes one by one..
        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

        1 Reply Last reply Reply Quote 0
        • T
          thenmanbr
          last edited by

          i went as far as rebooting pfsense entirely to ensure the new rules would take place. but they didn't affect the traffic. i also went advanced settings and under "Firewall & NAT" i have checked the option "Disable all auto-added VPN rules."

          1 Reply Last reply Reply Quote 0
          • chpalmerC
            chpalmer
            last edited by

            This client is coming in via the WAN right?

            Triggering snowflakes one by one..
            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

            1 Reply Last reply Reply Quote 0
            • T
              thenmanbr
              last edited by

              yes... so client hits the WAN interface, which is listening on 4501/udp. they should hit the firewall rule in the order i displayed

              1 Reply Last reply Reply Quote 0
              • T
                thenmanbr
                last edited by

                what is interesting is that when i check states, the connection is shown on the loopback interface. maybe this has some correlation

                0_1545333616234_states1.jpg

                1 Reply Last reply Reply Quote 0
                • NogBadTheBadN
                  NogBadTheBad
                  last edited by

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • chpalmerC
                    chpalmer
                    last edited by

                    I just killed all my VPN traffic off to test this. The firewall seems to initiate the state and when that happens the connection opens up.

                    Go to status/openvpn and stop the service. Then go to diagnostic/states and kill the states.

                    Go back to openvpn and restart the service.

                    Triggering snowflakes one by one..
                    Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                    T 1 Reply Last reply Reply Quote 0
                    • T
                      thenmanbr @chpalmer
                      last edited by

                      @chpalmer thanks! it worked as you described!

                      however, in the event of a reboot, do you know how would i prevent this issue from happening? (i'm assuming it's the order things are loaded, first vpn then filters... if that even makes sense)

                      chpalmerC 1 Reply Last reply Reply Quote 0
                      • chpalmerC
                        chpalmer @thenmanbr
                        last edited by

                        @thenmanbr said in pfsense bypasses firewall rule:

                        @chpalmer
                        however, in the event of a reboot, do you know how would i prevent this issue from happening? (i'm assuming it's the order things are loaded, first vpn then filters... if that even makes sense)

                        I do not.. I comes as a little bit of a surprise to me as well. I use separate VPN servers for each of my tunnels and Im the only road warrior connection here. If I was to stop a connection to a site I would first go to that site and delete the client.

                        Can you try a "reject rule" and see if that does it?..

                        Triggering snowflakes one by one..
                        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.