No rules needed for IPSec IKEv2 on WAN interface?

  • Hello
    Thanks to the excellent documentation, I have successfully configured the IPsec/IKE v2 service on my pfSense instance. Everything seems to be working as expected: I can create an IPsec connection from my client and I can access my LAN machines.
    However, looking at the firewall rules, I just noticed that I have no rules configured on the WAN interface; the two rules allowing IPsec traffic on port 500 and 4500 were created (automatically?) on the IPsec interface. I would have expected these two rules to be associated with the WAN interface since this is the first interface that is accessed by the IPsec traffic. Does anyone have an explanation for this? Thanks in advance.

  • Rebel Alliance Developer Netgate

    IPsec gets rules added automatically. You can disable the automatic rules if you want, from System > Advanced, Firewall & NAT tab, "Disable all auto-added VPN rules", then add your own for udp/500, udp/4500, and ESP.

  • Thanks for the info. However, I still do not understand why these rules are associated with the IPsec interface since the 500 and 4500 packets reach the WAN interface first.

  • Rebel Alliance Developer Netgate

    They are not. The automatic rules are on the WAN, not the IPsec tab.

    The IPsec tab is only for traffic inside the tunnel, not the traffic used to establish and carry the tunnel itself on WAN.

  • Well, it does not look like this on my instance.

    • I only have the default "Block bogon networks" rule on my WAN interface

    • The two rules for 500 and 4500 are associated with the IPsec interface

    • Yet the traffic is passed

    See attached screenshots

  • Rebel Alliance Developer Netgate

    The rules on the IPsec interface cannot match traffic on WAN. It shows you right in the log that it was on WAN, not IPsec.

    The rules are there, behind the scenes – they don't show in the GUI. The rules you see must have been added manually, and they are unnecessary.

  • Manually? You mean using viconfig? I have not done this, though. The only thing I did was clone an existing instance of pfSense, delete the existing  rules and upgrade to the latest version.
    Putting aside the fact that some rules exists, that I cannot see in the webConfigurator (pretty scary!), what do you suggest I do to fix this? Use viconfig and search rules?

  • Rebel Alliance Developer Netgate

    Someone, at some point, put those rules on the IPsec tab using the GUI themselves. The firewall didn't add them there, and they are not necessary. You might check the other tabs (like Floating) to see if other rules reference IPsec or those same ports. None of them are necessary.

    If you want to inspect the full ruleset you can see them in /tmp/rules.debug. The automatic rules for IPsec show there, but they will not exist in config.xml.

  • OK, I get it. Thanks for the info. I will delete the other rules.
    Is there a way to see the "hidden" rules (apart from looking in the file)?

  • IPsec has a rule, the last one is "any to any on any GO!" lol

Log in to reply