problem with GRE tunnel and firewall rules
I have a problem with firewall rules regarding a GRE tunnel.
I want to filter the traffic that is sent across this tunnel.
When I send test traffic from the other side through the tunnel, I can see it leaving the local interface and I see also the return traffic arriving.
But the return traffic is never sent via the GRE tunnel.
Instead I get this in the firewall logs:
Sep 18 16:14:35 jue-jsa-fw01 filterlog: 63,,,1568815875,vmx1,match,pass,out,4,0x0,,62,39121,0,DF,6,tcp,60,10.115.250.10,10.1.199.1,51676,22,0,S,445341219,,29200,,mss;sackOK;TS;nop;wscale Sep 18 16:14:35 jue-jsa-fw01 filterlog: 10,,,1000000104,gre0,match,block,out,4,0x0,,63,0,0,DF,6,tcp,60,10.1.199.1,10.115.250.10,22,51676,0,SA,91150333,445341220,14480,,mss;sackOK;TS;nop;wscale Sep 18 16:14:36 jue-jsa-fw01 filterlog: 10,,,1000000104,gre0,match,block,out,4,0x0,,63,0,0,DF,6,tcp,60,10.1.199.1,10.115.250.10,22,51676,0,SA,91150333,445341220,14480,,mss;sackOK;TS;nop;wscale
What seems odd to me is that the first line mentions vmx1, which is the local interface where the traffic is leaving. I would have expected gre0 here as that's the incoming interface.
Also the second and third line that look like the return traffic is blocked at the outgoing interface.
When I look at Diagnostics > States, I can see a state being created for the flow but nethertheless the return traffic is blocked.
I have tried putting firewall rules for the intended traffic as well as for the return traffic on both interfaces and as floating rule but to no avail.
What am I missing here?
Thanks for any help.
I am using pfSense 2.4.4-RELEASE-p3 Community Edition.
I've found the solution, that @ierdelyi found in 2018.
With a stateless rule at the GRE interface that allows all wanted traffic it works.