Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No rules needed for IPSec IKEv2 on WAN interface?

    Scheduled Pinned Locked Moved IPsec
    10 Posts 3 Posters 9.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bruno-infotrad
      last edited by

      Hello
      Thanks to the excellent documentation, I have successfully configured the IPsec/IKE v2 service on my pfSense instance. Everything seems to be working as expected: I can create an IPsec connection from my client and I can access my LAN machines.
      However, looking at the firewall rules, I just noticed that I have no rules configured on the WAN interface; the two rules allowing IPsec traffic on port 500 and 4500 were created (automatically?) on the IPsec interface. I would have expected these two rules to be associated with the WAN interface since this is the first interface that is accessed by the IPsec traffic. Does anyone have an explanation for this? Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        IPsec gets rules added automatically. You can disable the automatic rules if you want, from System > Advanced, Firewall & NAT tab, "Disable all auto-added VPN rules", then add your own for udp/500, udp/4500, and ESP.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          bruno-infotrad
          last edited by

          Thanks for the info. However, I still do not understand why these rules are associated with the IPsec interface since the 500 and 4500 packets reach the WAN interface first.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            They are not. The automatic rules are on the WAN, not the IPsec tab.

            The IPsec tab is only for traffic inside the tunnel, not the traffic used to establish and carry the tunnel itself on WAN.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • B
              bruno-infotrad
              last edited by

              Well, it does not look like this on my instance.

              • I only have the default "Block bogon networks" rule on my WAN interface

              • The two rules for 500 and 4500 are associated with the IPsec interface

              • Yet the traffic is passed

              See attached screenshots

              ipsec_ike_1.png
              ipsec_ike_1.png_thumb
              ipsec_ike_2.png
              ipsec_ike_2.png_thumb
              ipsec_ike_0.png
              ipsec_ike_0.png_thumb

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                The rules on the IPsec interface cannot match traffic on WAN. It shows you right in the log that it was on WAN, not IPsec.

                The rules are there, behind the scenes – they don't show in the GUI. The rules you see must have been added manually, and they are unnecessary.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • B
                  bruno-infotrad
                  last edited by

                  Manually? You mean using viconfig? I have not done this, though. The only thing I did was clone an existing instance of pfSense, delete the existing  rules and upgrade to the latest version.
                  Putting aside the fact that some rules exists, that I cannot see in the webConfigurator (pretty scary!), what do you suggest I do to fix this? Use viconfig and search rules?

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Someone, at some point, put those rules on the IPsec tab using the GUI themselves. The firewall didn't add them there, and they are not necessary. You might check the other tabs (like Floating) to see if other rules reference IPsec or those same ports. None of them are necessary.

                    If you want to inspect the full ruleset you can see them in /tmp/rules.debug. The automatic rules for IPsec show there, but they will not exist in config.xml.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • B
                      bruno-infotrad
                      last edited by

                      OK, I get it. Thanks for the info. I will delete the other rules.
                      Is there a way to see the "hidden" rules (apart from looking in the file)?

                      1 Reply Last reply Reply Quote 0
                      • E
                        emeianoite
                        last edited by

                        IPsec has a rule, the last one is "any to any on any GO!" lol

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.