Floating rule not behaving as expected

joesl

Hello all,

I kindly need some help as I've been staring at a couple of rules for far too long and I don't see my issue. Thank you in advance.

I'm configuring a pf box using the same philosophy I use in another box which works great. However something is not working. Imagine I have a VLAN 192.168.199.0/24. The pfs is 192.168.199.1. I am able to connect devices to this VLAN and they are able to comunicate with each other. As an example 192.168.199.2 can ping 192.168.199.3. This is expected as they wouldn't even hit the firewall. However, I want 192.168.199.2 to also ping 192.168.199.1. No biggie there.. I just need a rule for this interface allowing "VLAN Net" to talk to "VLAN Address" for ICMP. Done. Works. I think this validates all VLAN/Interface stuff is setup correctly.
See below the rule at the top of the rules in the tab "VLAN":

Screen Shot 2020-09-28 at 2.08.53 PM.png

Now, I like to put some "failsafe" rules in my floating tab to avoid inter-lan communications which could be broken by mistake if any rule within the "interface tabs" is put as any/any. Something like "if you aint lan1, you can't talk to lan1". These are then overridden by rules above. Something like this (this is selected for all interfaces and direction is "IN"):

Screen Shot 2020-09-28 at 2.11.50 PM.png

Mind that this works perfectly in my other firewall. For some reason though, in this new box, if I enable this rule. I can't ping 192.168.199.1 from 192.168.199.2. If I disable it, I can. How can this even match, given that 192.168.199.2, 192.168.199.1 are within VLAN?!

I enabled logging and they indeed get blocked (1599498920 is the floating rule above):

Screen Shot 2020-09-28 at 2.15.09 PM.png

I am stumped and I don't understand why 192.168.199.100 matches "! VLAN" .. has this something to do with the switch of this device (SG-1100)? For completeness sake this is how it's configured:

Screen Shot 2020-09-28 at 2.18.22 PM.png
Screen Shot 2020-09-28 at 2.19.14 PM.png

Thank you for your help!

joesl

I found the issue.. the culprit is pfBlockerNG.
My pfBlockerNG listen from VLAN with the virtual IP being 10.10.10.1 and I also had checked:

Screen Shot 2020-09-28 at 4.12.36 PM.png

The following floating rules are created and they obviously block traffic:

block return in log quick on mvneta0.199 inet from ! 192.168.199.0/24 to 10.10.10.1 label "USER_RULE: Isolating VLAN from any other interface"
block return in log quick on mvneta0.199 inet from ! 10.10.10.1 to 192.168.199.0/24 label "USER_RULE: Isolating VLAN from any other interface"
block return in log quick on mvneta0.199 inet from ! 10.10.10.1 to 10.10.10.1 label "USER_RULE: Isolating VLAN from any other interface"

Does this look to you like a bug from pfblocker? Please, if possible can this thread be moved to the correct subforum?

Thanks!

johnpoz

The use of ! rules when there VIPs has always been problematic where you can get things that overlap, etc.

This is why its never a good idea to use ! rules unless you are clear on exactly what your doing, and validate rules work as expected.

joesl

Hello Johnpoz, thanks for replying!

Could you please explain the issue (or point me to relevant documentation) about "! Rules" vs "VIP"? I wasn't aware of it!
To be clear: do you think this is an expected consequence or do you think this is an issue with how creates the rules pfblockerng?

Thanks a lot!