Firewall Rules not applying to http traffic
-
Hi all,
I'm really confused at why my current firewall rules aren't working for selective gateway routing.
Really hope someone here can help. Basically what I want to achieve is to have specific domains route over a different WAN gateway.My current rule looks like so:
Action: Pass
Interface: LAN
Source: *
Destination: Single Host / Alias - (Domains that I want routed over alterative WAN Gateway)
Protocol: Any
Address Family: IPv4Gateway: WANGW (192.168.40.1)
What happens:
When I make a network request over HTTPS/SSL my traffic is routed over the selected gateway. However when I then make that request unencrypted over HTTP the connection routes through my other gateway.This is known because the domain I request returns the Public IP of the respective gateway.
i.e. HTTPS: 210.XXX.XXX.238 HTTP: 27.XXX.XXX.131I can also see that the rule only creates and logs states which are connecting to port 443 and does not show any logs or states for connections to port 80
Any help would be greatly appreciated.
-
did you try putting the rule all the way to the top of the ruleset?
did you reset states after making the change? -
@heper Thanks for taking a look. Just tried resetting the states on my firewall, didn't seem to change the outcome. I have put the rule at the top of my LAN rules which in theory take priority over all other rules which is why I am so confused.
-
Ruleset works from top 2 bottom
First rule match countsScreenshot of your rules
Everything else is practicing santeria with a crystal ball -
@heper said in Firewall Rules not applying to http traffic:
did you try putting the rule all the way to the top of the ruleset?
did you reset states after making the change? -
Maybe some other rule in an interface group or floating is messing things up then?
Or
Squid is messing things up -
@heper That did catch my attention before. I checked the squid logs and cache hits, no hits for the domain/url I was testing. I did add it to my exclusions which still did not make any effect. However I just tried completely disabling squid and my request was made using the firewall rules correctly and created the states. See:
Could this be a bug with squid on pfsense or just a configuration issue by myself? In other words would this be worth reporting to either pfsense devs or the squid maintainers?
Thank you very much for all your help on this.
Thank you to @noplan as well for taking the time to look at my issue.
-
screenshot of your firewall rules and your gateway setup
this smellsif u gonna check firewall rules u have to kill all active states ore the rules will be ignored
after massive changes in the rule set i recommend reboot the firewall makes more sense for me and is fasterbr NP
-
@jack7076 transparent squid does not work with policy routing. Squid binds to wan. Policy routing is done before it reaches wan
