Floating rule not applying to selected interfaces



  • I have a 2 WAN setup that has port forwards on both interfaces to one host on my LAN.  I've previously had rules on each WAN interface to allow traffic into the port forwards, but I wanted to start limiting states per host collectively.  I figured the best way to do that would be to have a floating rule that is assigned to both WAN interfaces that has the appropriate settings, so that's what I implemented.

    The floating rule only let traffic in to the first of the two WAN interfaces, however.  Traffic was outright blocked from hitting the port forward on the second WAN.  I had to disable or delete the floating rule and re-create independent rules on each WAN interface for traffic to work correctly.

    Why did the floating rule only allow traffic on one of the WAN interfaces instead of the two that were selected?  Seems like a bug to me.  Running pfSense 2.3.3-Release.



  • I think you misunderstand something. The two examples of rules below are equivalent when you compare the states created by incoming traffic. I'm assuming that there are two port forwards for tcp traffic WAN1:port1 -> LANHOST:port1 and WAN2:port2 -> LANHOST:port2.

    
    rdr ....
    rdr ....
    
    pass in inet proto tcp from any to $LANHOST port { $PORT1 $PORT2 }
    
    

    The pass rule above is roughly what pfSense creates for an incoming floating rule without an interface specified.

    
    rdr ....
    rdr ....
    
    pass in on $WAN1 inet proto tcp from any to $LANHOST port $PORT1
    pass in on $WAN2 inet proto tcp from any to $LANHOST port $PORT2 
    
    

    This is what the separated version looks like roughly.

    The point is that PF doesn't care about how the rules are organized in this case, each new connection on each of the WANs will create a new state regardless of which version you use. For PF every new proto,srcadress,dstaddress,srcport,dstport combination is a new state and it will not reuse states based on what kind of rule created the states, all that matters is if an incoming packet matches an entry in the state table.



  • OK, if the states themselves are compared independently of the interface on which the states reside, that's nice.  It's unclear why it would be that way, though.  What if the two interface-bound rules have different session limits?  Which one wins?

    Further, this doesn't explain why the floating rule only seemed to bind to one of the selected interfaces, rather than both.  There simply wasn't any traffic allowed on the second WAN interface assigned to the floating rule.