Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules being ignored on WAN_STF interface (6rd, ipv6, 6to4, pfsense)

    Scheduled Pinned Locked Moved IPv6
    2 Posts 1 Posters 678 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nathan.snow
      last edited by

      Issue:
      I have 6RD successfully configured on my PPPoE interface and it's working well, always has. However, I recently set up DNS over HTTPS and blocked all UDP:53 in/out via the floating rules. This works on all interfaces that exist in the interfaces > assignments. I was doing an audit and going over firewall rules and traffic and realized that queries over port 53 are still working over the wan_stf interface by a rule that says (let out anything from firewall host itself). I suspect this is because ints not in the interface list so I can't set rules that affect it (although it's still visible when running ifconfig when logged in via ssh).

      Things I've tried:

      • Creating a GIF interface: This didn't go well. I've never used it so I'm sure I missed something) I got the idea from reading some forums and also from the netgate documentation regarding 6to4 tunnels.
      • Adding the wan_stf interface via the Interfaces > assignments pannel: This broke all WAN traffic. Again, probably did something wrong as I can't figure out exactly how that interface should be configured; I did try some variations (none/none, mirroring the ifconfg output as well as I could, etc...)

      What I'm looking for from this post:
      A recommended solution that will actually enforce my firewall rules as expected. Possibly a howto if it's really obscure. Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • N
        nathan.snow
        last edited by

        I may have solved this on my own. My floating rules were set to all interfaces in the list, but it seem that selecting no interface in the list makes it apply to every interface. I'm still testing this, but I don't see the (let out anything from firewall host itself) anymore.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.