Firewall Rule Seems to Get Ignored



  • I have an always-on VPN client running that I want to feed every device in my home except for two. I want those two devices to use my ISP directly.

    I successfully accomplished this for a long time by creating an alias for those two devices, and then creating a LAN Pass firewall rule for that alias that used the Advanced Option "Gateway" feature that I set to WAN_DHCP. This worked perfectly for ages but, since the last system update, all traffic is now being sent over the VPN as though this firewall rule were being totally ignored.

    I tried everything I could think of (rebooting the box, moving the rule higher in the order, enabling/disabling the VPN, etc) but nothing has worked. Any ideas?

    Thanks.


  • Rebel Alliance Global Moderator

    make sure your not pulling default routes from your vpn connection.  also show your rules on the interface that push what you want out your vpn.



  • Thanks for the response.

    Pretty sure I'm not pulling any default routes from the VPN connection. At least not that I'm aware of.

    The rule is on the LAN interface where it has always been and should be.

    I've changed nothing, other than updating the box to the latest 2.3.1-RELEASE-p1 version. Could this be a bug? (Oh, the other change I made was to install and activate Squid Proxy, just as an experiment. Don't see how that could be the issue, but will test tomorrow just in case.)



  • Well, I deleted Squid and everything is working as it should once again.

    Very strange. Clearly a bug or some sort of compatibility issue.


  • Rebel Alliance Global Moderator

    Yeah its a bug that your proxy proxies your traffic… Clearly we should report that when using a proxy, it proxies traffic...

    As to your vpn not pulling default routes.. So you have checked not to pull routes in your client settings?  If not then yeah you are pulling routes..




  • @johnpoz:

    Yeah its a bug that your proxy proxies your traffic… Clearly we should report that when using a proxy, it proxies traffic...

    As to your vpn not pulling default routes.. So you have checked not to pull routes in your client settings?  If not then yeah you are pulling routes..

    Consider the following:

    • Firewall rules working as expected for nearly a year
    • Install Squid
    • Firewall rules no longer working as expected; rule troubleshooting not effective
    • Remove Squid
    • Firewall rules now working again as expected

    I won't claim to know WHY this is happening, but it's quite clear it is. I found this post below which is interesting. The third poster has this to say:

    "Using Squid Proxy with the VPN
    A common issue that I've seen a lot of people posting is not understanding how the squid proxy works with a VPN. Policy based routing won't work with firewall rules if clients are using the squid proxy or the transparent proxy is enabled as the traffic will originate from pfSense rather than the internal networks.

    This can be overcome with some limitations by using custom ACLs in squid as I've described at /index.php?topic=106221.msg592358#msg592358. I believe if you specify the client IPs under the Bypass Proxy for These Source IPs when the transparent proxy is configured then it will also work without a custom ACL, but not if the client is configured to use the proxy.

    You can also do other things with custom ACLs, such as sending specific destination domains via the VPN. For example certain websites could be blocked by your ISP on the WAN interface, so you want all traffic for those to go via the VPN. A few examples are described at /index.php?topic=104628.msg583327#msg583327"

    https://forum.pfsense.org/index.php?topic=106305.0

    Basically, much more complex than I want to delve into given that I installed Squid experimentally, and have no real need for it. It's gone!

    Regarding your second point, no, I did NOT have that feature checked, and did not even know about it. Although I now have everything working properly once again, everything is a learning experience, so perhaps you can explain what this option does? As I understand it, enabling it would prevent the VPN client from forcing all traffic through it and bypassing default Gateway/Route settings?

    Thanks.



    • Firewall rules working as expected for nearly a year
    • Install Squid
    • Firewall rules no longer working as expected; rule troubleshooting not effective

    Your expectations failed you because your understanding was flawed. Many people seem to have issues recognizing when they don't understand a problem and are shocked when things stop working as expected. If there's one thing important skill I've learned in life it's knowing when I don't know something and filling that hole. Now's as good time as ever to start practicing that. Don't be a cargo-cult IT person, fix the issue with reasoning and understanding, not because someone told you some step-by-step instructions. Takes longer, but it's worth it in the long run.

    But don't feel bad. Pseudo-research (Many of the top minds in teaching and programming doing informal experiments over the past 30+ years with students to reduce the 80%+ failure rate that never goes away) into teaching people how to program is showing that 90%+ of people cannot create proper mental models.


  • Rebel Alliance Global Moderator

    "enabling it would prevent the VPN client from forcing all traffic through it and bypassing default Gateway/Route settings?"

    No enabling it prevents the vpn client from adding a default route to pfsense that would force ALL traffic out the vpn be it you set it to do that or now.  If your going to do policy based routing where you want some traffic to go out the vpn, and some traffic to not go out the vpn then you need to make sure you do not pull routes from the vpn connection.

    I am with Harvy66 on his assessment of common problem in understanding the problem when you don't fully understand how it works.  If you unclear to how a system works, how can you be expected to troubleshoot it when it doesn't work how you think its suppose to..

    As to not knowing the setting was there..  How is that exactly?  Did you not setup the vpn client connection?  Did you not go through all the options presented to you in the gui to make sure you understand what they do so you could make a decision on if you need it or not?



  • While that sounds great in theory, it doesn't work as well in practice.  I wear 50 hats where I am, and I'm expected to pick up new technology and be able to use it on a weekly basis.  I'm responsible for a ton of different things.  I fully admit that I am not an expert in all of them (or any of them), nor would I consider myself even advanced in some of them, but I do the best I can and sometimes make mistakes.  pfSense encompasses a LOT of different technologies.  I doubt if even most of the ESF staff are experts in every aspect.  Personally, I'm weak in IPSEC, PKI and IPv6 just to start but I still managed to get OpenVPN up & running pretty quickly.

    I guess all I'm trying to say is don't be too hard on those who do not necessarily possess the required amount of knowledge to do a specific task.


  • Rebel Alliance Global Moderator

    "required amount of knowledge to do a specific task."

    Agreed nobody can be expert in all of them..  This is when you reach out, do more research… RTFM..

    Is there some contest I am not aware of where if you find a bug in pfsense you get some sort of prize?  It seems like can not go a few hours without some post asking if whatever thing they have a question about is a bug..

    This thread for example - something doesn't work how he expected it, he does not seem to have a handle how it works in general.  Made assumptions about routes not being grabbed while not even going over the connection he setup options.  But right away jumps to "Could this be a bug?"

    Is pfsense giving away a bounty on every bug discovered? ;)



  • It seems like can not go a few hours without some post asking if whatever thing they have a question about is a bug.

    That's just human nature with us tech-types.  Everyone assumes they're not an idiot, and when something doesn't work then it's due to a fault in the thing and not our lack of understanding.

    I tend to be the opposite and when something doesn't work, I naturally assume I have screwed it up.  Perhaps there's a component of the Dunning-Kruger Effect in there as well.



  • Wow, what a tremendous amount of bloated self-importance in this forum. Haha…



  • @KOM:

    It seems like can not go a few hours without some post asking if whatever thing they have a question about is a bug.

    That's just human nature with us tech-types.  Everyone assumes they're not an idiot, and when something doesn't work then it's due to a fault in the thing and not our lack of understanding.

    I tend to be the opposite and when something doesn't work, I naturally assume I have screwed it up.  Perhaps there's a component of the Dunning-Kruger Effect in there as well.

    Dunning-Kruger Effect, eh? Well, as a nationally-ranked Chess Master, I'm going to have to admit that I know exactly what that looks like. But I certainly don't think it's an appropriate appellation for me here. I'm a pfSense newb and not an IT professional. Why else would I be here?

    I once played poker with a guy who was a teacher. In a semi-drunken stupor, he blurted out: "If you don't know the answer, don't ask the question!" A teacher! LOL…



  • This is interesting:

    https://youtu.be/8D83tJ_riBc

    But even more interesting is the one and only comment on this video:

    "It's not so much that squid is overriding the firewall, it's that the transparent proxy rule is just higher up on the list…  Since you have transparent proxy turned on, it created a rule in the firewall to grab all port 80 traffic.  That rule gets triggered before ever even getting to your Slashdot rule in the firewall.  That may have been your whole point just thought the detail was important.  I think this will show you the hidden firewall rules that don't show in the gui."  https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

    Now THAT was educational!



  • @johnpoz:

    But right away jumps to "Could this be a bug?"

    How about this:

    "Installation of the Squid proxy service MAY result in existing firewall rules behaving in a manner that is inconsistent with previous experience."

    I trust that appeases your hyper-sensitive sense of nomenclature propriety?  :o



  • When I mentioned DKE to John, I was speaking of the general case and not about you in particular.  I'm sorry if you took offense as it wasn't intended.  We often go off on a tangent in a thread when the main topic of discussion has been addressed.  It is a common thing here that newer users typically assign blame to pfSense for something they don't understand.