Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange Firewall rules behaviour with "sticky-connections"

    Scheduled Pinned Locked Moved
    Firewalling
    2
    4
    426
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JodelMoe
      last edited by

      Hello together,

      i am using pfsense for a few years now and everything is running fine. I figured a strange firewall-multiwan error out which i cannot resolve by myself, maybe some could take a look into it?

      I try to explain: I use a PPPoE connection as the main WAN gateway. I have added 3 OpenVPN connections and configured them as another gateway-goup with tier 1. I use both gateways with policy based routing with nat- and firewallrules. That works well, but, as from netgate described, it could make sometimes trouble with some connections. Thats why i wanted to check the box "use sticky connections". But when i checked it, it gives me error messages about wrong firewall rules.

      There were error(s) loading the rules: /tmp/rules.debug:928: sticky-address cannot be redefined - The line in question reads [928]: pass in quick on $VLAN_GUEST $GWVPN_Gateway inet proto icmp from $network_guest_vpn to any icmp-type { echorep,echoreq,paramprob,squench,timex,unreach } tag "vpntraffic" tracker 1568891569 keep state label "USER_RULE: Allow defined ICMP"
    @ 2020-06-26 12:28:12

      This is the rule:

                      <rule>
		<id></id>
		<tracker>1568891569</tracker>
		<type>pass</type>
		<interface>opt2</interface>
		<ipprotocol>inet</ipprotocol>
		<tag>vpntraffic</tag>
		<tagged></tagged>
		<max></max>
		<max-src-nodes></max-src-nodes>
		<max-src-conn></max-src-conn>
		<max-src-states></max-src-states>
		<statetimeout></statetimeout>
		<statetype><![CDATA[keep state]]></statetype>
		<os></os>
		<protocol>icmp</protocol>
		<icmptype>echorep,echoreq,paramprob,squench,timex,unreach</icmptype>
		<source>
			<address>network_guest_vpn</address>
		</source>
		<destination>
			<any></any>
		</destination>
		<descr><![CDATA[Allow defined ICMP]]></descr>
		<gateway>VPN_Gateway</gateway>
		<created>
			<time>1568891569</time>
			<username><![CDATA[admin@192.168.1.106 (Local Database)]]></username>
		</created>
		<updated>
			<time>1579638983</time>
			<username><![CDATA[admin@192.168.1.102 (Local Database)]]></username>
		</updated>

      The firewall-rule should be okay, it works without sticky connection really good. Then is just tried to delete my rule to see what happens, i have nearly the same rule for another interface too. As soon as i deleted it, the next rule shows an error..

      There were error(s) loading the rules: /tmp/rules.debug:1015: sticky-address cannot be redefined - The line in question reads [1015]: pass in quick on $VLAN_PRIVATE $GWVPN_Gateway inet proto icmp from $network_private_vpn to any icmp-type { echorep,echoreq,paramprob,squench,timex,unreach } tag &quot;vpntraffic&quot; tracker 1579638453 keep state label &quot;USER_RULE: Allow defined ICMP&quot;
@ 2020-06-26 12:38:37

      This is the rule:

                      <rule>
		<id></id>
		<tracker>1579017667</tracker>
		<type>pass</type>
		<interface>opt3</interface>
		<ipprotocol>inet</ipprotocol>
		<tag>nonvpntraffic</tag>
		<tagged></tagged>
		<max></max>
		<max-src-nodes></max-src-nodes>
		<max-src-conn></max-src-conn>
		<max-src-states></max-src-states>
		<statetimeout></statetimeout>
		<statetype><![CDATA[keep state]]></statetype>
		<os></os>
		<protocol>icmp</protocol>
		<icmptype>echorep,echoreq,paramprob,squench,timex,unreach</icmptype>
		<source>
			<address>network_private</address>
		</source>
		<destination>
			<any></any>
		</destination>
		<descr><![CDATA[Allow defined ICMP]]></descr>
		<gateway>WAN_PPPOE</gateway>
		<created>
			<time>1579017667</time>
			<username><![CDATA[admin@192.168.1.102 (Local Database)]]></username>
		</created>
		<updated>
			<time>1579638306</time>
			<username><![CDATA[admin@192.168.1.102 (Local Database)]]></username>
		</updated>

      Also, the internet connection with my vpn-policy-based routing is broken, if sticky connections is enabled and i rebotted the pfsense. Maybe someone has an idea, whats wrong in here?

      regards from germany
      JodelMoe

      1 Reply Last reply Reply Quote 1
      • viktor_gV
        viktor_g Netgate
        last edited by

        Can you attach screenshot of your firewall rules?
        Need to check the order

        1 Reply Last reply Reply Quote 0
        • J
          JodelMoe
          last edited by

          Sure, i also opened a bug report. The order is okay and makes sense.
          If it would help you, i can upload the whole firewall-rules section.

          bug#1.png

          1 Reply Last reply Reply Quote 0
          • viktor_gV
            viktor_g Netgate
            last edited by

            Thank you, I already reproduced this issue on my pfSense

            seems pfctl icmp-type + sticky-address issue,
            but only if you select icmp message types (icmp any works fine)

            https://redmine.pfsense.org/issues/10726

            1 Reply Last reply Reply Quote 0
            • First post
              Last post