VTI and Firewall rules

Toto le haricot

Hello Netgate team and fellow users,

First I apologize for the approximations, english is not my first langage...
I don't usually need a lot of help around pfSense, but this time un stumbled upon a particularly tough problem I can't solve by myself...

The situation:
We need to interconnect several sites with VTI IPSEC, one is under another entreprise responsibility (let's call it it site A) the others (twenty, from B to U) are on our client side and we manage them.

• A is a cisco device
• B is an Azure pfSense VM (2.4.5-p1)
• C to U are SG-5100 and 3100 appliances (2.4.5-p1)

Since the IPSEC links between site A and others are paid, we are trying to rationalize the costs for this client particularly heavily impacted by the pandemic (no business for 1 year, and counting). pfSense vs a subscription-based solution is part of the answer here, but we are trying to find another angles.

What I've done:
So i tried to have only one VTI between site A and B, and get everybody routed from C, D, E, ... to A through B.
It's basically working, but there's a catch: people from site A does not want to add routes for C, D, E, ..., only one route to a single /24. And we are not getting another route, this is standard procedure for a multi billion $ company (we tried, to no avail...)

"Hey, I'm smart, this this easy: I just have to add a virtual IP on site B, do outbound NAT, and booom, problem solved !" So I got them to add a route to 10.255.255.0/24, added a VIP 10.255.255.1 on site B, outbound NAT rule for a local "test" VLAN.

Hmmm, no, there's still a problem: Netgate docs
Firewall rule processing can be confusing, as mentioned in Routed IPsec Firewall Rules. This is still undergoing testing, but likely means that reply-to will not function. There are also known issues with NAT, notably that NAT to the interface address works but 1:1 NAT or NAT to an alternate address does not work.

So I found a solution: filtering if_ipsec

    "net.inet.ipsec.filtertunnel"   => "0x0001",
    "net.inet6.ipsec6.filtertunnel" => "0x0001",
    "net.enc.out.ipsec_bpf_mask"    => "0x0000",
    "net.enc.out.ipsec_filter_mask" => "0x0000",
    "net.enc.in.ipsec_bpf_mask"     => "0x0000",
    "net.enc.in.ipsec_filter_mask"  => "0x0000" 

But "In if_ipsec filtering mode, the IPsec tab should be hidden and assigned if_ipsec interface tabs visible." stated in the bugtracker is not working here: I still see the global IPSEC tab in Firewall > Rules.
Not a problem for site B, the outbound NAT rule is working and I can communicate between site A and my test VLAN on site B. When I do a packet capture on the VTI interface, is see packets originating from my VIP and getting back there.

But when traffic comes from site C, there is nothing showing on the A <=> B VTI.
"Hmmm, routing seems OK, time to check the FW logs": gotcha ! traffic from site C gets blocked by Default deny rule IPv4 (1000000103)
Strange, my IPSEC tab is showing a single any-any rule ?
I click on the little "+" "Easy Rule: pass this trafic", and it offers me to add a rule on the ipsec2000 (phy interface for my B <=> C VTI) ! Yes, I can add an Easy Rule, but I cannot do this for every IP on every 19 clients networks...

Where you can help me:

• Do the behavior where I get only my global IPSEC tab is normal ?
• I was planning on adding Easy Rules from CLI for all my source networks on site B. But I don't see where I can order them as I don't have my ipsecX000 interfaces.

If I forgot any relevant information or need to explain further any shortcuts I took here, please let me know.
Thanks a lot for any insight you can give me :)

viktor_g

@toto-le-haricot See https://redmine.pfsense.org/issues/11395

Toto le haricot

@viktor_g said in VTI and Firewall rules:

@toto-le-haricot See https://redmine.pfsense.org/issues/11395

Hello,

Thanks for the answer, but I already went this way, and this a part of my question: changing the system tunables does not change the firewall interfaces display in the webGUI.

viktor_g

@toto-le-haricot you need to apply Patch ID cb0a23f29237d86fbc40259882bba2b5b9d419f5 for that

see https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

Toto le haricot

@viktor_g
Thank you !
Sorry for the delay, I've been pretty busy during the last month.

I've tested the patch on a test device with a dummy VTI, and here is the result:

And here is the output for the apply details

/usr/bin/patch --directory=/ -t -p2 -i /var/patches/608faf68dfd81.patch --check --forward --ignore-whitespace

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From cb0a23f29237d86fbc40259882bba2b5b9d419f5 Mon Sep 17 00:00:00 2001
|From: jim-p 
|Date: Wed, 10 Feb 2021 13:15:55 -0500
|Subject: [PATCH] Add option to set IPsec filtering mode. Implements #11395
|
|User can choose between filtering enc (tunnel+VTI) or filtering on
|assigned VTI interface tabs (VTI only, drops all tunnel mode traffic).
|See https://redmine.pfsense.org/issues/11395 for details.
|---
| src/etc/inc/filter.inc                   | 16 +++++++++----
| src/etc/inc/globals.inc                  | 30 ++++++++++++++++++++----
| src/etc/inc/system.inc                   |  9 ++++++-
| src/usr/local/www/vpn_ipsec_settings.php | 26 ++++++++++++++++++++
| 4 files changed, 71 insertions(+), 10 deletions(-)
|
|diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
|index aeb79c9c11a..e5cdf9196f6 100644
|--- a/src/etc/inc/filter.inc
|+++ b/src/etc/inc/filter.inc
--------------------------
Patching file etc/inc/filter.inc using Plan A...
Hunk #1 succeeded at 95 (offset -2 lines).
No such line 4697 in input file, ignoring
Hunk #2 succeeded at 4547 (offset -159 lines).
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc
|index 33578cc30f7..f2cf76700f9 100644
|--- a/src/etc/inc/globals.inc
|+++ b/src/etc/inc/globals.inc
--------------------------
Patching file etc/inc/globals.inc using Plan A...
Hunk #1 succeeded at 149 (offset -12 lines).
No such line 310 in input file, ignoring
Hunk #2 failed at 307.
1 out of 2 hunks failed while patching etc/inc/globals.inc
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
|index 98d978a645e..82c7364dda8 100644
|--- a/src/etc/inc/system.inc
|+++ b/src/etc/inc/system.inc
--------------------------
Patching file etc/inc/system.inc using Plan A...
Hunk #1 succeeded at 98 (offset -4 lines).
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/src/usr/local/www/vpn_ipsec_settings.php b/src/usr/local/www/vpn_ipsec_settings.php
|index 9458ae2430f..bd8e34c6ede 100644
|--- a/src/usr/local/www/vpn_ipsec_settings.php
|+++ b/src/usr/local/www/vpn_ipsec_settings.php
--------------------------
Patching file usr/local/www/vpn_ipsec_settings.php using Plan A...
Hunk #1 succeeded at 33 (offset -2 lines).
Hunk #2 failed at 47.
Hunk #3 succeeded at 163 (offset -78 lines).
Hunk #4 failed at 208.
Hunk #5 succeeded at 358 (offset -23 lines).
2 out of 5 hunks failed while patching usr/local/www/vpn_ipsec_settings.php
done

Regards,

viktor_g

@toto-le-haricot said in VTI and Firewall rules:

I've tested the patch on a test device with a dummy VTI, and here is the result:

You need to apply it on the latest stable release - 2.5.1

Toto le haricot

@viktor_g
Will 21.02 work too ?

viktor_g

@toto-le-haricot said in VTI and Firewall rules:

@viktor_g
Will 21.02 work too ?

Yes

Toto le haricot

@viktor_g
The SG-3100 has been updated, but the patch still cannot be applied

/usr/bin/patch --directory=/ -t -p2 -i /var/patches/608faf68dfd81.patch --check --forward --ignore-whitespace

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From cb0a23f29237d86fbc40259882bba2b5b9d419f5 Mon Sep 17 00:00:00 2001
|From: jim-p 
|Date: Wed, 10 Feb 2021 13:15:55 -0500
|Subject: [PATCH] Add option to set IPsec filtering mode. Implements #11395
|
|User can choose between filtering enc (tunnel+VTI) or filtering on
|assigned VTI interface tabs (VTI only, drops all tunnel mode traffic).
|See https://redmine.pfsense.org/issues/11395 for details.
|---
| src/etc/inc/filter.inc                   | 16 +++++++++----
| src/etc/inc/globals.inc                  | 30 ++++++++++++++++++++----
| src/etc/inc/system.inc                   |  9 ++++++-
| src/usr/local/www/vpn_ipsec_settings.php | 26 ++++++++++++++++++++
| 4 files changed, 71 insertions(+), 10 deletions(-)
|
|diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
|index aeb79c9c11a..e5cdf9196f6 100644
|--- a/src/etc/inc/filter.inc
|+++ b/src/etc/inc/filter.inc
--------------------------
Patching file etc/inc/filter.inc using Plan A...
Ignoring previously applied (or reversed) patch.
Hunk #1 ignored at 97.
Hunk #2 ignored at 4706.
2 out of 2 hunks ignored while patching etc/inc/filter.inc
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc
|index 33578cc30f7..f2cf76700f9 100644
|--- a/src/etc/inc/globals.inc
|+++ b/src/etc/inc/globals.inc
--------------------------
Patching file etc/inc/globals.inc using Plan A...
Ignoring previously applied (or reversed) patch.
Hunk #1 ignored at 161.
Hunk #2 ignored at 319.
2 out of 2 hunks ignored while patching etc/inc/globals.inc
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
|index 98d978a645e..82c7364dda8 100644
|--- a/src/etc/inc/system.inc
|+++ b/src/etc/inc/system.inc
--------------------------
Patching file etc/inc/system.inc using Plan A...
Ignoring previously applied (or reversed) patch.
Hunk #1 ignored at 102.
1 out of 1 hunks ignored while patching etc/inc/system.inc
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/src/usr/local/www/vpn_ipsec_settings.php b/src/usr/local/www/vpn_ipsec_settings.php
|index 9458ae2430f..bd8e34c6ede 100644
|--- a/src/usr/local/www/vpn_ipsec_settings.php
|+++ b/src/usr/local/www/vpn_ipsec_settings.php
--------------------------
Patching file usr/local/www/vpn_ipsec_settings.php using Plan A...
Ignoring previously applied (or reversed) patch.
Hunk #1 ignored at 35.
Hunk #2 ignored at 49.
Hunk #3 ignored at 241.
Hunk #4 ignored at 286.
Hunk #5 ignored at 381.
5 out of 5 hunks ignored while patching usr/local/www/vpn_ipsec_settings.php
done

viktor_g

@toto-le-haricot I can successfully apply this patch on my SG-3100 pfSense 21.02-p2:

Try to reimage the appliance, maybe something wrong with your previous patches

Toto le haricot

Hello,

Sorry for the delay, I still have troubles applying the patch. What I've done:

• Reseting the SG-3100 to defaults: KO
• Re-image it with 21.02-p1, appliying with a default conf: KO
• Update to 21.02.2: KO
• Trying a brand new one updated from 2.4.5-p1 to 21.02: KO
• Re-image the new one with 21.02-p1 (MD5 OK): KO

What I have to try:

• Testing it with a brand new 21.02.2 image
• Test with different appliances we have: SG-1100, SG-5100, SG-7100
• Test with the CE edition (but I'm pretty sure I won't take this path as we heavily rely on multi-WAN)

Regards,

jimp

That feature will be in the 21.05 release due out very soon. You may as well wait a couple weeks for that rather than fighting the patch.

Toto le haricot

@jimp
Great ! I will wait then, thank you for reaching out to me ;)