Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Don't understand: are these two bugs?

    OpenVPN
    3
    6
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mr. Jingles
      last edited by

      Hello  ;D

      Please look at the four attached pics for pfSense 2.3.4.

      1. If the firewall rule on WAN2 is disabled, how come the VPN-tunnel interface shows as up and the firewall (FW) log shows traffic passing?
      2. How come in these FW logs the pass rules are for OPT6, when:
      2.A. OPT6 isn't even enabled?
      2.B. And hence, there aren't any firewall rules for OPT6 at all.

      Bugs? Or features I don't understand?

      Thank you  :)
      pfsense_ovpn_2x_strrange.jpg
      pfsense_ovpn_2x_strrange.jpg_thumb
      pfsense_ovpn_2x_strrange02.jpg
      pfsense_ovpn_2x_strrange02.jpg_thumb
      pfsense_ovpn_2x_strrange03.jpg
      pfsense_ovpn_2x_strrange03.jpg_thumb
      pfsense_ovpn_2x_strrange04.jpg
      pfsense_ovpn_2x_strrange04.jpg_thumb

      6 and a half billion people know that they are stupid, agressive, lower life forms.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You are not showing enough information to let anyone know what the hell you are talking about.

        Be lucid and thorough if you want to bandy about the word "bug."

        There is a very good probability there is a good explanation for the traffic you are seeing that you think is a "bug."

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          Mr. Jingles
          last edited by

          @Derelict:

          You are not showing enough information to let anyone know what the hell you are talking about.

          Be lucid and thorough if you want to bandy about the word "bug."

          There is a very good probability there is a good explanation for the traffic you are seeing that you think is a "bug."

          Right… ... ...

          Is it forbidden to ask if something is a bug or if I'm simply misunderstanding?

          I don't "think" these are bugs, I am asking if these are bugs or if I'm not understanding. Which means I am not "bandying".

          Please look at the four attached pics for pfSense 2.3.4.

          1. If the firewall rule on WAN2 is disabled, how come the VPN-tunnel interface shows as up and the firewall (FW) log shows traffic passing?
          2. How come in these FW logs the pass rules are for OPT6, when:
          2.A. OPT6 isn't even enabled?
          2.B. And hence, there aren't any firewall rules for OPT6 at all.

          Bugs? Or features I don't understand?

          What part isn't clear/is confusing/you need more information so you could give me an answer?

          There is a very good probability there is a good explanation for the traffic you are seeing that you think is a "bug."

          And the good explanation is?

          6 and a half billion people know that they are stupid, agressive, lower life forms.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Did you drop the session/state when you make the changes? Changes to firewall rules to not affect existing states.

            Is it a VPN client or a server? No rules are required for a client to make a connection, only for a server to receive one.

            Rules do not have to be in place on OPT6 if it is an OpenVPN assigned interface. Rules on the OpenVPN tab will pass traffic just fine. In fact, if you pass all traffic on OpenVPN and block all traffic on OPT6, traffic will be passed because interface groups (such as the OpenVPN tab) get passed first.

            An assigned interface (such as OPT6, presumably) is not necessary for OpenVPN to operate.

            Not a "bug."

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • M
              Mr. Jingles
              last edited by

              @Derelict:

              Did you drop the session/state when you make the changes? Changes to firewall rules to not affect existing states.

              Is it a VPN client or a server? No rules are required for a client to make a connection, only for a server to receive one.

              Rules do not have to be in place on OPT6 if it is an OpenVPN assigned interface. Rules on the OpenVPN tab will pass traffic just fine. In fact, if you pass all traffic on OpenVPN and block all traffic on OPT6, traffic will be passed because interface groups (such as the OpenVPN tab) get passed first.

              An assigned interface (such as OPT6, presumably) is not necessary for OpenVPN to operate.

              Not a "bug."

              Thank you for your answer.

              I do agree, an error on my side: it is a server. Sorry for not adding that.

              1. Yes, I reset states. I always do when changing FW rules.

              2. I didn't understand:

              IF I disable the WAN-firewall rule for the server, server and client shouldn't be able to make contact, so why the VPN-tunnel shows as up in the dashboard, and why does the firewall also report traffic between server and client? I specifically ask because my goal is to have Synology servers sync/backup to eachother via VPN, but I want to add a time schedule to the firewall, disabling the open WAN port firewall rule most of the time.  And hence I noticed when the rule is disabled, the tunnel stays up and traffic keeps on going.

              3. About that OPT6, would you know:
              a. Why the tunnel didn't work without adding the OPT6 interface (found it somewhere on Google I had to do this - it didn't work without that interface, honestly).
              b. Why the firewall log reports traffic passing on OPT6 (previous pic) when that interface isn't even enabled (previous pic), and so it isn't even possible to add firewall rules for OPT6?

              Thank you.

              6 and a half billion people know that they are stupid, agressive, lower life forms.

              1 Reply Last reply Reply Quote 0
              • M
                marvosa
                last edited by

                First, this could merely be a timing issue.  Those syslog messages were logged at ~11:30p last night… when did you disable the interface?

                Second, after disabling the interface, nothing actually happens until hit the "Apply Changes" button.  Was this done?  If so, when?  If not, that would explain why things are not behaving as you would expect.

                Third, What interface are those firewall rules on?  Also, when were they disabled?  Same question here.... after disabling the rules, did you hit the "Apply Changes" button?  If so, when?  If not, that would explain why things are not behaving as you would expect.

                2. I didn't understand:

                IF I disable the WAN-firewall rule for the server, server and client shouldn't be able to make contact, so why the VPN-tunnel shows as up in the dashboard, and why does the firewall also report traffic between server and client? I specifically ask because my goal is to have Synology servers sync/backup to eachother via VPN, but I want to add a time schedule to the firewall, disabling the open WAN port firewall rule most of the time.  And hence I noticed when the rule is disabled, the tunnel stays up and traffic keeps on going.

                There are still some unknowns here so it's hard to offer help when we only have 70% of the info, but these questions depend on what rule(s) we're talking about, on what interface and what your objective is.  Also, are we talking about PFsense boxes being the VPN server and VPN client?  Or are we talking about a server on your network making an outbound client connection?  There are different answers depending on what you're doing.  Post a network map, showing your topology and explain what you're trying to accomplish, so we can offer targeted advice.

                3. About that OPT6, would you know:
                a. Why the tunnel didn't work without adding the OPT6 interface (found it somewhere on Google I had to do this - it didn't work without that interface, honestly).
                b. Why the firewall log reports traffic passing on OPT6 (previous pic) when that interface isn't even enabled (previous pic), and so it isn't even possible to add firewall rules for OPT6?

                • a.  This goes to my previous point, what is the setup and what are you trying to accomplish?  Is this a site to site tunnel between two PFsense boxes or a tunnel to 3rd party VPN provider?  Depending on what the objective is, assigning a tunnel to an interface is necessary to create a gateway for use with policy based routing

                • b.  Depends on answers to previous questions.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.