Firewall Rules not applying to http traffic

jack7076 · Jan 30, 2021, 9:36 AM

Hi all,

I'm really confused at why my current firewall rules aren't working for selective gateway routing.
Really hope someone here can help. Basically what I want to achieve is to have specific domains route over a different WAN gateway.

My current rule looks like so:
Action: Pass
Interface: LAN
Source: *
Destination: Single Host / Alias - (Domains that I want routed over alterative WAN Gateway)
Protocol: Any
Address Family: IPv4

Gateway: WANGW (192.168.40.1)

What happens:
When I make a network request over HTTPS/SSL my traffic is routed over the selected gateway. However when I then make that request unencrypted over HTTP the connection routes through my other gateway.

This is known because the domain I request returns the Public IP of the respective gateway.
i.e. HTTPS: 210.XXX.XXX.238 HTTP: 27.XXX.XXX.131

I can also see that the rule only creates and logs states which are connecting to port 443 and does not show any logs or states for connections to port 80

Any help would be greatly appreciated.

heper · Jan 30, 2021, 10:06 AM

@jack7076

did you try putting the rule all the way to the top of the ruleset?
did you reset states after making the change?

jack7076 · Jan 30, 2021, 10:12 AM

@heper Thanks for taking a look. Just tried resetting the states on my firewall, didn't seem to change the outcome. I have put the rule at the top of my LAN rules which in theory take priority over all other rules which is why I am so confused.

noplan · Jan 30, 2021, 10:26 AM

@jack7076

Ruleset works from top 2 bottom
First rule match counts

Screenshot of your rules
Everything else is practicing santeria with a crystal ball

noplan · Jan 30, 2021, 10:26 AM

@heper said in Firewall Rules not applying to http traffic:

@jack7076

did you try putting the rule all the way to the top of the ruleset?
did you reset states after making the change?

heper · Jan 30, 2021, 11:04 AM

@jack7076

Maybe some other rule in an interface group or floating is messing things up then?

Or
Squid is messing things up

jack7076 · Jan 30, 2021, 11:28 AM

@heper That did catch my attention before. I checked the squid logs and cache hits, no hits for the domain/url I was testing. I did add it to my exclusions which still did not make any effect. However I just tried completely disabling squid and my request was made using the firewall rules correctly and created the states. See:

Could this be a bug with squid on pfsense or just a configuration issue by myself? In other words would this be worth reporting to either pfsense devs or the squid maintainers?

Thank you very much for all your help on this.

Thank you to @noplan as well for taking the time to look at my issue.

noplan · Jan 30, 2021, 11:44 AM

@jack7076

screenshot of your firewall rules and your gateway setup
this smells

if u gonna check firewall rules u have to kill all active states ore the rules will be ignored
after massive changes in the rule set i recommend reboot the firewall makes more sense for me and is faster

br NP

heper · Jan 30, 2021, 11:49 AM

@jack7076 transparent squid does not work with policy routing. Squid binds to wan. Policy routing is done before it reaches wan