Firewall rules being ignored on WAN_STF interface (6rd, ipv6, 6to4, pfsense)



  • Issue:
    I have 6RD successfully configured on my PPPoE interface and it's working well, always has. However, I recently set up DNS over HTTPS and blocked all UDP:53 in/out via the floating rules. This works on all interfaces that exist in the interfaces > assignments. I was doing an audit and going over firewall rules and traffic and realized that queries over port 53 are still working over the wan_stf interface by a rule that says (let out anything from firewall host itself). I suspect this is because ints not in the interface list so I can't set rules that affect it (although it's still visible when running ifconfig when logged in via ssh).

    Things I've tried:

    • Creating a GIF interface: This didn't go well. I've never used it so I'm sure I missed something) I got the idea from reading some forums and also from the netgate documentation regarding 6to4 tunnels.
    • Adding the wan_stf interface via the Interfaces > assignments pannel: This broke all WAN traffic. Again, probably did something wrong as I can't figure out exactly how that interface should be configured; I did try some variations (none/none, mirroring the ifconfg output as well as I could, etc...)

    What I'm looking for from this post:
    A recommended solution that will actually enforce my firewall rules as expected. Possibly a howto if it's really obscure. Thanks in advance.



  • I may have solved this on my own. My floating rules were set to all interfaces in the list, but it seem that selecting no interface in the list makes it apply to every interface. I'm still testing this, but I don't see the (let out anything from firewall host itself) anymore.