Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FW Rules for VTI interfaces

    Scheduled Pinned Locked Moved IPsec
    9 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jackish
      last edited by

      Hi,

      Under Firewall rules, you can set specific rules per GRE interface (each interface has their own tab) but with VTI you dont get the same functionality, only a shared "IPSec" tab. Is this intended?

      Say for example I want to make a routing rule to send all traffic from LAN Host/port X/Y regardless of destination down a VTI tunnel, how can I achieve that? I tried setting the rule under "IPSec" and picked the gateway associated with the VTI interface under advanced but it doesn't work.

      Any input is highly appreciated.

      Thanks

      jimpJ 1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator
        last edited by

        @Jackish said in FW Rules for VTI interfaces:

        LAN Host/port X/Y regardless of destination down a VTI tunnel, how can I achieve that

        The same way as you would with other policy based rules. Create a firewall rule on LAN, make sure it is above others that would interfere and configure it to your source host that you would like to route down the VTI tunnel with destination "any". Then at the end of the rules dialog open advanced options and select your VTI/IPSec/ipsec0 Gateway.

        https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html#routing

        Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate @Jackish
          last edited by

          @Jackish said in FW Rules for VTI interfaces:

          Under Firewall rules, you can set specific rules per GRE interface (each interface has their own tab) but with VTI you dont get the same functionality, only a shared "IPSec" tab. Is this intended?

          Yes, because of the way VTI works on FreeBSD, per-interface rules for IPsec do not function yet. (I need to test this again on FreeBSD 12, though)

          Say for example I want to make a routing rule to send all traffic from LAN Host/port X/Y regardless of destination down a VTI tunnel, how can I achieve that? I tried setting the rule under "IPSec" and picked the gateway associated with the VTI interface under advanced but it doesn't work.

          As @JeGr said, rules to redirect LAN traffic out VTI would go on LAN, not the IPsec interface, so you don't need per-interface rules to do that.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by Derelict

            I decided to look at this and found something else.

            Since the IPsec assigned interface is hidden in Rules I was going to make a rules file and load it manually to test.

            Created an assigned interface rule on an OpenVPN server to copy

            Not getting reply-to there:

            Shell Output - grep OVPNS1 /tmp/rules.debug

            OVPNS1 = "{ ovpns1 }"
            GWOVPNS1_VPNV4 = " "
            GWOVPNS1_VPNV6 = " "
            scrub on $OVPNS1 all fragment reassemble
            pass in quick on $OVPNS1 inet proto icmp from any to 172.25.100.1 tracker 1553176701 keep state label "USER_RULE: Test Rule for IPsec"
            pass in quick on $OVPNS1 inet proto tcp from any to 172.25.100.1 port 22 tracker 1553176973 flags S/SA keep state label "USER_RULE: Test Rule for IPsec"

            My fault. I wasn't actually trying to pass traffic on the OpenVPN so I hadn't bounced the server instance.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              As near as I can tell this still does not work. Pass rules on ipsec1000 are not processed. Needs rules on enc0.

              Traffic on a state on a VTI is still counted twice.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • J
                Jackish
                last edited by

                Thank you for all the feedback. You are of course correct, it should be a LAN rule in this case.

                However, after configuring the rule and confirming it to be OK, it's being ignored and tcpdump confirms that none of the packets that should be captured by the rule is being sent down ipsec1000 (which happens to be the interface for this tunnel).

                To confirm my rule, I tore down IPSec VTI and built GRE over IPSec, keept the rule intact and just changed the gateway and voila, the rule works.

                So, I am not 100% sure what Derelict are saying but maybe we just confirmed the same thing?

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  What rule are you talking about?

                  You can policy route out VTI just fine.

                  The rules in question allow traffic into the firewall from the other side of IPsec tunnels and have nothing to do with connections originating from LAN hosts.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • J
                    Jackish
                    last edited by

                    In my case, a simple pass rule on LAN interface (as described in my first post) to route certain traffic out on a VTI gateway does not work. The very same rule works fine when using a GRE gateway.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Then post what you have because it most certainly does work.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.