[solved] IPSec firewall rules ineffective



  • I have a working site to site IPSec VPN, Draytek Vigor at the edge of one site, and pfsense 2.4.3 within the LAN at the other site. The pfsense box has a single interface (WAN) and is acting purely as a VPN endpoint.

    Everything's peachy - machines at each site can access machines at the other site. So, time to lock down the connections with some firewall rules on the pfsense box (eventually I'll want to allow only RDP/VNC). Except… the rules are ineffective. For initial test/setup purposes I had a "pass all" rule for IPSec entry, but if I remove that, or even if I have a single "block all" rule, traffic still flows.

    I don't have "Disable firewall" enabled in System>Advanced>Firewall & NAT. Also, I don't have "Bypass firewall rules for traffic on the same interface" enabled. None of the options in System>Advanced>Firewall & NAT are ticked.

    I can add rules to the WAN interface, but really I need to lock down traffic coming in via IPSec.

    I think I'm missing something fundamental here. In other systems I've used OpenVPN for site to site tunnelling, but this is the first time I've used IPSec.

    I've had a rummage through the posts here and haven't yet found anything relevant - indeed I seem to have the opposite problem to everyone else!



  • In the time-honoured tradition of finding the solution moments after posting a query…

    It turns out that changes to firewall rules are effective only after a reboot. A filter reload is not enough. This applies to rules for WAN and for IPSec (in my case).

    I don't know if this is normal behaviour. From memory... I'm reasonably sure that this didn't used to be the case - I'm sure I remember firewall rule changes being instant. I have a lot of pfsense boxes performing all sorts of functions, but they were all built years ago and though they've had firmware updates they've not had firewall changes.


  • Rebel Alliance Developer Netgate

    A reboot is not necessary. Depending on what you changed, a filter reload should be enough or at worse, a reset of the affected states (Diag > States, Reset States)



  • Thanks for that confirmation that my memory isn't faulty. The issue is consistent and repeatable, so if I get the chance I'll dig around some. I'm going to be away for a few days though so that might take a while. And, if I run out of time, I may end up just building a new VM from scratch - this one has been through the wars while I was figuring out IPSec.

    ps. As this is no longer related to IPSec, as such, and is more of a firewall issue, if/when I get around to updating or solving the problem then I'll post in the firewalls topic rather than here.