problem with GRE tunnel and firewall rules



  • Hi all,

    I have a problem with firewall rules regarding a GRE tunnel.
    I want to filter the traffic that is sent across this tunnel.

    When I send test traffic from the other side through the tunnel, I can see it leaving the local interface and I see also the return traffic arriving.
    But the return traffic is never sent via the GRE tunnel.

    Instead I get this in the firewall logs:

    Sep 18 16:14:35 jue-jsa-fw01 filterlog: 63,,,1568815875,vmx1,match,pass,out,4,0x0,,62,39121,0,DF,6,tcp,60,10.115.250.10,10.1.199.1,51676,22,0,S,445341219,,29200,,mss;sackOK;TS;nop;wscale
    Sep 18 16:14:35 jue-jsa-fw01 filterlog: 10,,,1000000104,gre0,match,block,out,4,0x0,,63,0,0,DF,6,tcp,60,10.1.199.1,10.115.250.10,22,51676,0,SA,91150333,445341220,14480,,mss;sackOK;TS;nop;wscale
    Sep 18 16:14:36 jue-jsa-fw01 filterlog: 10,,,1000000104,gre0,match,block,out,4,0x0,,63,0,0,DF,6,tcp,60,10.1.199.1,10.115.250.10,22,51676,0,SA,91150333,445341220,14480,,mss;sackOK;TS;nop;wscale
    

    What seems odd to me is that the first line mentions vmx1, which is the local interface where the traffic is leaving. I would have expected gre0 here as that's the incoming interface.
    Also the second and third line that look like the return traffic is blocked at the outgoing interface.
    When I look at Diagnostics > States, I can see a state being created for the flow but nethertheless the return traffic is blocked.

    I have tried putting firewall rules for the intended traffic as well as for the return traffic on both interfaces and as floating rule but to no avail.

    I'm lost.
    What am I missing here?

    Thanks for any help.

    I am using pfSense 2.4.4-RELEASE-p3 Community Edition.

    Kind regards,
    Mathias



  • I've found the solution, that @ierdelyi found in 2018.

    https://forum.netgate.com/topic/105000/ipsec-outbound-traffic-being-blocked-on-ipsec-interface/29

    With a stateless rule at the GRE interface that allows all wanted traffic it works.

    Kind regards,
    Mathias


Log in to reply