Firewall Rule for gateway online ONLY

Bambos

Hello everyone,

i have a site to site VPN where on the client firewall vpn interface i have an open rule, so i manage everything on the server side vpn interface (on each interface of each site)

For the time i need to just keep the tunnel, without allowing any traffic, so i set this rule : where net and address on this is the tunnel IP's.

on the client side is red:

By the time i'm changing the firewall rule to specific Host, 172.18.29.2 (which is in the range of the net according the previous firewall rule)
the gateway on the client turns green:

Is there any explanation for this, or is something like a bug ??

viragomann

@bambos said in Firewall Rule for gateway online ONLY:

where net and address on this is the tunnel IP's

Are you really sure???

The fact that the gateway name is quite different let me doubt.

Bambos

@viragomann I'm very sure :) !!! see below server and client IPs.

viragomann

@bambos
That doesn't say really much.

Post a screenshot of System > Routing > Gateways, please.

Bambos

@viragomann yes..

viragomann

@bambos
That's a small section, not the whole screen and that does not match to the gateway you've monitoring issues.

Bambos

@viragomann why not ?? .1 is the server, .2 is the client.

this is the whole section

viragomann

@bambos
So there is no gateway with the name "SUNTECHNICS_VPN_VPNV" in this list as shown in the monitoring screen above.

So I'm quite wondering, where you got this screen from. Is it from the other site of the VPN?

Bambos

@viragomann i think you confused a little. The red gateway was on the VPN client side, not having the correct firewall rule on the server interface ! please see post 1 again.

As i said , i have an allow all on the client side (vpn interface) and control only on the server side (vpn interface).

viragomann

@bambos
Okay, I've reproduced this in my network. You're right. The ping doesn't work if the source is the implicit network variable for what ever reason.
But it works, when I state the tunnel network in numbers.

Yes, seems as a bug, which shouldn't behave like that.

Bambos

@viragomann thanks a lot Sir, i'm glad we figured this out. How we can put that on official bugs so netgate could resolve ?

viragomann

@bambos
You may find a link in the forum, I think.
But did you get this on a current release? I reproduced it on 2.4.5, so I don't know if it still persists.

Additional info:
Checked out /tmp/rules.debug and found that the net is replaced with the clients IP with /32 mask.
So obviously the net doesn't work properly with OpenVPN interfaces on the client, the tunnel network is not taken over in the variable even if it is stated in the settings.

Bambos

@viragomann client is 2.4.5 and server is 2.5.1.

viragomann

@bambos
So we don't know if it still persists in recent versions at all.
I kicked my only one 2.6 installation due to dynamic DNS issues.

I would prescind from reporting a bug in this case.

Bambos

@viragomann Hello Sir !!!

I have tested this again with both client and server to 2.6 latest version.
Same problem appears.

First rule is not letting the client ping, so gateway is red.
second rule let the client gateway ping (and going green)

172.18.47.2 it is a part of the LAN47_MXGREEN net, so to my understanding is the same firewall rule !!

as a prove i have it first, and 0B traffic there. Is this a bug now ?

viragomann

@bambos
Yes, I agree that it behaves in an other way than expected. Obviously the 'interface net' alias doesn't work with OpenVPN interfaces.

If you check Status > Interfaces the site to site OpenVPNs interfaces have a 255.255.255.255 mask. So it only includes the interface IP. And the same is adopted in the rule.
Don't know, what's the reason for this behavior.