Firewall Rule Seems to Get Ignored
-
Yeah its a bug that your proxy proxies your traffic… Clearly we should report that when using a proxy, it proxies traffic...
As to your vpn not pulling default routes.. So you have checked not to pull routes in your client settings? If not then yeah you are pulling routes..
Consider the following:
- Firewall rules working as expected for nearly a year
- Install Squid
- Firewall rules no longer working as expected; rule troubleshooting not effective
- Remove Squid
- Firewall rules now working again as expected
I won't claim to know WHY this is happening, but it's quite clear it is. I found this post below which is interesting. The third poster has this to say:
"Using Squid Proxy with the VPN
A common issue that I've seen a lot of people posting is not understanding how the squid proxy works with a VPN. Policy based routing won't work with firewall rules if clients are using the squid proxy or the transparent proxy is enabled as the traffic will originate from pfSense rather than the internal networks.This can be overcome with some limitations by using custom ACLs in squid as I've described at /index.php?topic=106221.msg592358#msg592358. I believe if you specify the client IPs under the Bypass Proxy for These Source IPs when the transparent proxy is configured then it will also work without a custom ACL, but not if the client is configured to use the proxy.
You can also do other things with custom ACLs, such as sending specific destination domains via the VPN. For example certain websites could be blocked by your ISP on the WAN interface, so you want all traffic for those to go via the VPN. A few examples are described at /index.php?topic=104628.msg583327#msg583327"
https://forum.pfsense.org/index.php?topic=106305.0
Basically, much more complex than I want to delve into given that I installed Squid experimentally, and have no real need for it. It's gone!
Regarding your second point, no, I did NOT have that feature checked, and did not even know about it. Although I now have everything working properly once again, everything is a learning experience, so perhaps you can explain what this option does? As I understand it, enabling it would prevent the VPN client from forcing all traffic through it and bypassing default Gateway/Route settings?
Thanks.
-
- Firewall rules working as expected for nearly a year
- Install Squid
- Firewall rules no longer working as expected; rule troubleshooting not effective
Your expectations failed you because your understanding was flawed. Many people seem to have issues recognizing when they don't understand a problem and are shocked when things stop working as expected. If there's one thing important skill I've learned in life it's knowing when I don't know something and filling that hole. Now's as good time as ever to start practicing that. Don't be a cargo-cult IT person, fix the issue with reasoning and understanding, not because someone told you some step-by-step instructions. Takes longer, but it's worth it in the long run.
But don't feel bad. Pseudo-research (Many of the top minds in teaching and programming doing informal experiments over the past 30+ years with students to reduce the 80%+ failure rate that never goes away) into teaching people how to program is showing that 90%+ of people cannot create proper mental models.
-
"enabling it would prevent the VPN client from forcing all traffic through it and bypassing default Gateway/Route settings?"
No enabling it prevents the vpn client from adding a default route to pfsense that would force ALL traffic out the vpn be it you set it to do that or now. If your going to do policy based routing where you want some traffic to go out the vpn, and some traffic to not go out the vpn then you need to make sure you do not pull routes from the vpn connection.
I am with Harvy66 on his assessment of common problem in understanding the problem when you don't fully understand how it works. If you unclear to how a system works, how can you be expected to troubleshoot it when it doesn't work how you think its suppose to..
As to not knowing the setting was there.. How is that exactly? Did you not setup the vpn client connection? Did you not go through all the options presented to you in the gui to make sure you understand what they do so you could make a decision on if you need it or not?
-
While that sounds great in theory, it doesn't work as well in practice. I wear 50 hats where I am, and I'm expected to pick up new technology and be able to use it on a weekly basis. I'm responsible for a ton of different things. I fully admit that I am not an expert in all of them (or any of them), nor would I consider myself even advanced in some of them, but I do the best I can and sometimes make mistakes. pfSense encompasses a LOT of different technologies. I doubt if even most of the ESF staff are experts in every aspect. Personally, I'm weak in IPSEC, PKI and IPv6 just to start but I still managed to get OpenVPN up & running pretty quickly.
I guess all I'm trying to say is don't be too hard on those who do not necessarily possess the required amount of knowledge to do a specific task.
-
"required amount of knowledge to do a specific task."
Agreed nobody can be expert in all of them.. This is when you reach out, do more research… RTFM..
Is there some contest I am not aware of where if you find a bug in pfsense you get some sort of prize? It seems like can not go a few hours without some post asking if whatever thing they have a question about is a bug..
This thread for example - something doesn't work how he expected it, he does not seem to have a handle how it works in general. Made assumptions about routes not being grabbed while not even going over the connection he setup options. But right away jumps to "Could this be a bug?"
Is pfsense giving away a bounty on every bug discovered? ;)
-
It seems like can not go a few hours without some post asking if whatever thing they have a question about is a bug.
That's just human nature with us tech-types. Everyone assumes they're not an idiot, and when something doesn't work then it's due to a fault in the thing and not our lack of understanding.
I tend to be the opposite and when something doesn't work, I naturally assume I have screwed it up. Perhaps there's a component of the Dunning-Kruger Effect in there as well.
-
Wow, what a tremendous amount of bloated self-importance in this forum. Haha…
-
@KOM:
It seems like can not go a few hours without some post asking if whatever thing they have a question about is a bug.
That's just human nature with us tech-types. Everyone assumes they're not an idiot, and when something doesn't work then it's due to a fault in the thing and not our lack of understanding.
I tend to be the opposite and when something doesn't work, I naturally assume I have screwed it up. Perhaps there's a component of the Dunning-Kruger Effect in there as well.
Dunning-Kruger Effect, eh? Well, as a nationally-ranked Chess Master, I'm going to have to admit that I know exactly what that looks like. But I certainly don't think it's an appropriate appellation for me here. I'm a pfSense newb and not an IT professional. Why else would I be here?
I once played poker with a guy who was a teacher. In a semi-drunken stupor, he blurted out: "If you don't know the answer, don't ask the question!" A teacher! LOL…
-
This is interesting:
https://youtu.be/8D83tJ_riBc
But even more interesting is the one and only comment on this video:
"It's not so much that squid is overriding the firewall, it's that the transparent proxy rule is just higher up on the list… Since you have transparent proxy turned on, it created a rule in the firewall to grab all port 80 traffic. That rule gets triggered before ever even getting to your Slashdot rule in the firewall. That may have been your whole point just thought the detail was important. I think this will show you the hidden firewall rules that don't show in the gui." https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset
Now THAT was educational!
-
But right away jumps to "Could this be a bug?"
How about this:
"Installation of the Squid proxy service MAY result in existing firewall rules behaving in a manner that is inconsistent with previous experience."
I trust that appeases your hyper-sensitive sense of nomenclature propriety? :o
-
When I mentioned DKE to John, I was speaking of the general case and not about you in particular. I'm sorry if you took offense as it wasn't intended. We often go off on a tangent in a thread when the main topic of discussion has been addressed. It is a common thing here that newer users typically assign blame to pfSense for something they don't understand.