Strange Firewall rules behaviour with "sticky-connections"



  • Hello together,

    i am using pfsense for a few years now and everything is running fine. I figured a strange firewall-multiwan error out which i cannot resolve by myself, maybe some could take a look into it?

    I try to explain: I use a PPPoE connection as the main WAN gateway. I have added 3 OpenVPN connections and configured them as another gateway-goup with tier 1. I use both gateways with policy based routing with nat- and firewallrules. That works well, but, as from netgate described, it could make sometimes trouble with some connections. Thats why i wanted to check the box "use sticky connections". But when i checked it, it gives me error messages about wrong firewall rules.

    There were error(s) loading the rules: /tmp/rules.debug:928: sticky-address cannot be redefined - The line in question reads [928]: pass in quick on $VLAN_GUEST $GWVPN_Gateway inet proto icmp from $network_guest_vpn to any icmp-type { echorep,echoreq,paramprob,squench,timex,unreach } tag "vpntraffic" tracker 1568891569 keep state label "USER_RULE: Allow defined ICMP"
        @ 2020-06-26 12:28:12
    

    This is the rule:

                    <rule>
    		<id></id>
    		<tracker>1568891569</tracker>
    		<type>pass</type>
    		<interface>opt2</interface>
    		<ipprotocol>inet</ipprotocol>
    		<tag>vpntraffic</tag>
    		<tagged></tagged>
    		<max></max>
    		<max-src-nodes></max-src-nodes>
    		<max-src-conn></max-src-conn>
    		<max-src-states></max-src-states>
    		<statetimeout></statetimeout>
    		<statetype><![CDATA[keep state]]></statetype>
    		<os></os>
    		<protocol>icmp</protocol>
    		<icmptype>echorep,echoreq,paramprob,squench,timex,unreach</icmptype>
    		<source>
    			<address>network_guest_vpn</address>
    		</source>
    		<destination>
    			<any></any>
    		</destination>
    		<descr><![CDATA[Allow defined ICMP]]></descr>
    		<gateway>VPN_Gateway</gateway>
    		<created>
    			<time>1568891569</time>
    			<username><![CDATA[admin@192.168.1.106 (Local Database)]]></username>
    		</created>
    		<updated>
    			<time>1579638983</time>
    			<username><![CDATA[admin@192.168.1.102 (Local Database)]]></username>
    		</updated>
    

    The firewall-rule should be okay, it works without sticky connection really good. Then is just tried to delete my rule to see what happens, i have nearly the same rule for another interface too. As soon as i deleted it, the next rule shows an error..

    There were error(s) loading the rules: /tmp/rules.debug:1015: sticky-address cannot be redefined - The line in question reads [1015]: pass in quick on $VLAN_PRIVATE $GWVPN_Gateway inet proto icmp from $network_private_vpn to any icmp-type { echorep,echoreq,paramprob,squench,timex,unreach } tag &quot;vpntraffic&quot; tracker 1579638453 keep state label &quot;USER_RULE: Allow defined ICMP&quot;
    @ 2020-06-26 12:38:37
    

    This is the rule:

                    <rule>
    		<id></id>
    		<tracker>1579017667</tracker>
    		<type>pass</type>
    		<interface>opt3</interface>
    		<ipprotocol>inet</ipprotocol>
    		<tag>nonvpntraffic</tag>
    		<tagged></tagged>
    		<max></max>
    		<max-src-nodes></max-src-nodes>
    		<max-src-conn></max-src-conn>
    		<max-src-states></max-src-states>
    		<statetimeout></statetimeout>
    		<statetype><![CDATA[keep state]]></statetype>
    		<os></os>
    		<protocol>icmp</protocol>
    		<icmptype>echorep,echoreq,paramprob,squench,timex,unreach</icmptype>
    		<source>
    			<address>network_private</address>
    		</source>
    		<destination>
    			<any></any>
    		</destination>
    		<descr><![CDATA[Allow defined ICMP]]></descr>
    		<gateway>WAN_PPPOE</gateway>
    		<created>
    			<time>1579017667</time>
    			<username><![CDATA[admin@192.168.1.102 (Local Database)]]></username>
    		</created>
    		<updated>
    			<time>1579638306</time>
    			<username><![CDATA[admin@192.168.1.102 (Local Database)]]></username>
    		</updated>
    

    Also, the internet connection with my vpn-policy-based routing is broken, if sticky connections is enabled and i rebotted the pfsense. Maybe someone has an idea, whats wrong in here?

    regards from germany
    JodelMoe



  • Can you attach screenshot of your firewall rules?
    Need to check the order



  • Sure, i also opened a bug report. The order is okay and makes sense.
    If it would help you, i can upload the whole firewall-rules section.

    bug#1.png



  • Thank you, I already reproduced this issue on my pfSense

    seems pfctl icmp-type + sticky-address issue,
    but only if you select icmp message types (icmp any works fine)

    https://redmine.pfsense.org/issues/10726


Log in to reply