FW Rules for VTI interfaces



  • Hi,

    Under Firewall rules, you can set specific rules per GRE interface (each interface has their own tab) but with VTI you dont get the same functionality, only a shared "IPSec" tab. Is this intended?

    Say for example I want to make a routing rule to send all traffic from LAN Host/port X/Y regardless of destination down a VTI tunnel, how can I achieve that? I tried setting the rule under "IPSec" and picked the gateway associated with the VTI interface under advanced but it doesn't work.

    Any input is highly appreciated.

    Thanks


  • Rebel Alliance Moderator

    @Jackish said in FW Rules for VTI interfaces:

    LAN Host/port X/Y regardless of destination down a VTI tunnel, how can I achieve that

    The same way as you would with other policy based rules. Create a firewall rule on LAN, make sure it is above others that would interfere and configure it to your source host that you would like to route down the VTI tunnel with destination "any". Then at the end of the rules dialog open advanced options and select your VTI/IPSec/ipsec0 Gateway.

    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html#routing


  • Rebel Alliance Developer Netgate

    @Jackish said in FW Rules for VTI interfaces:

    Under Firewall rules, you can set specific rules per GRE interface (each interface has their own tab) but with VTI you dont get the same functionality, only a shared "IPSec" tab. Is this intended?

    Yes, because of the way VTI works on FreeBSD, per-interface rules for IPsec do not function yet. (I need to test this again on FreeBSD 12, though)

    Say for example I want to make a routing rule to send all traffic from LAN Host/port X/Y regardless of destination down a VTI tunnel, how can I achieve that? I tried setting the rule under "IPSec" and picked the gateway associated with the VTI interface under advanced but it doesn't work.

    As @JeGr said, rules to redirect LAN traffic out VTI would go on LAN, not the IPsec interface, so you don't need per-interface rules to do that.


  • LAYER 8 Netgate

    I decided to look at this and found something else.

    Since the IPsec assigned interface is hidden in Rules I was going to make a rules file and load it manually to test.

    Created an assigned interface rule on an OpenVPN server to copy

    Not getting reply-to there:

    Shell Output - grep OVPNS1 /tmp/rules.debug

    OVPNS1 = "{ ovpns1 }"
    GWOVPNS1_VPNV4 = " "
    GWOVPNS1_VPNV6 = " "
    scrub on $OVPNS1 all fragment reassemble
    pass in quick on $OVPNS1 inet proto icmp from any to 172.25.100.1 tracker 1553176701 keep state label "USER_RULE: Test Rule for IPsec"
    pass in quick on $OVPNS1 inet proto tcp from any to 172.25.100.1 port 22 tracker 1553176973 flags S/SA keep state label "USER_RULE: Test Rule for IPsec"

    My fault. I wasn't actually trying to pass traffic on the OpenVPN so I hadn't bounced the server instance.


  • LAYER 8 Netgate

    As near as I can tell this still does not work. Pass rules on ipsec1000 are not processed. Needs rules on enc0.

    Traffic on a state on a VTI is still counted twice.



  • Thank you for all the feedback. You are of course correct, it should be a LAN rule in this case.

    However, after configuring the rule and confirming it to be OK, it's being ignored and tcpdump confirms that none of the packets that should be captured by the rule is being sent down ipsec1000 (which happens to be the interface for this tunnel).

    To confirm my rule, I tore down IPSec VTI and built GRE over IPSec, keept the rule intact and just changed the gateway and voila, the rule works.

    So, I am not 100% sure what Derelict are saying but maybe we just confirmed the same thing?


  • LAYER 8 Netgate

    What rule are you talking about?

    You can policy route out VTI just fine.

    The rules in question allow traffic into the firewall from the other side of IPsec tunnels and have nothing to do with connections originating from LAN hosts.



  • In my case, a simple pass rule on LAN interface (as described in my first post) to route certain traffic out on a VTI gateway does not work. The very same rule works fine when using a GRE gateway.


  • LAYER 8 Netgate

    Then post what you have because it most certainly does work.


Log in to reply