pfsense VTI / Firewall Filtering
-
Hey gang I am running the latest pfsense. We have multiple ipsec site-to-site tunnels which are homed at one of our sites all running in routed ipsec / VTI mode. All works great and traffic is passing. I have a question in regard to using the firewall filter to restrict inbound traffic from the ipsec tunnels. Right now everything works because I am allowing traffic from the tunnels via the firewall filter -> ipsec tab.
Is there a way were I can apply an individual policy to a specify inbound tunnel? So for example.. I want to allow "Prefix A" inbound from "Site-Tunnel 1" but not allow it from 'Site-Tunnel 2" . I tried making rules under the firewall ipsec tab and going to advanced and changing the "gateway" and choosing the specific tunnel but this does not seem to work.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html makes it sound that I should have individual ipsec tunnel interfaces available in the firewall section. I do not have this.... hmmmm
-
Unfortunately, per-interface rules do not currently function for VTI interfaces. It's a limitation in the underlying OS (either in if_ipsec, pf, or some combination of the two).
Communication from a subnet like that wouldn't necessarily succeed anyhow, though, because your return routing wouldn't send it back to the "wrong" tunnel. In your example, if "Prefix A" came in from "Site-Tunnel 2" the reply traffic would go back to whichever one had the route on it, likely "Site-Tunnel 1".
If you are using a routing protocol (BGP, OSPF) you could filter routes that way as well.