VIP on Loopback breaks auto IKE 500 rule



  • I've stumbled across a little annoyance in our setup.

    We are running Quagga BGP on PFsense to advertise /32 Public IP's bound to the loopback adaptor. BGP peers over the WAN interface using a private /24. This allows us to move the pfsense's around our DC and have them automatically announce themselves. Everything is working great, but I have found one minor annoyance, creating an IPSEC tunnel no longer creates the automatically crated rule to allow IKE UDP 500 through and a manual rule needs to be created on the WAN interface.

    I have gone through the filter.inc code and believe I have found the code which is responsible for this

    https://github.com/pfsense/pfsense/blob/d08c13875483a81b6393f0127abe719e5734dea4/src/etc/inc/filter.inc#L4168-L4170

    
    			if (empty($FilterIflist[$parentinterface]['descr'])) {
    				$ipfrules .= "# Could not locate interface for IPsec: {$descr}\n";
    				continue;
    			}
    
    

    So it seems that it checks if the interface that has the VIP has a description. The loopback from what I can tell doesn't have a description and so it stops trying to add the rule.

    What would be the best way to work around this problem?
    1. Find a way to give the loopback interface a description, or will this still cause problems as the allow rule needs to be added to the WAN interface not the parent interface.
    2. Try and modify the filter generating code to correctly detect that the rule should be on the WAN interface.
    3. Just accept this is probably more complex than I realise and keep on manually creating IKE allow rules.


Log in to reply