OpenVPN Interface "net" not correct - bug?
-
Ran into an interesting situation today. I can't tell if this is expected behavior or if it's a bug. If this is in the wrong section, please move. Although I feel this teeters between multiple sections.
When creating a firewall rule for an OpenVPN interface, selecting the "[INTERFACE] net" as the source or destination results in it providing only the interface's address, not the subnet. This is only the case when the OpenVPN server or client is configured as Peer to Peer. Remote Access will properly provide the entire tunnel subnet. I can confirm this in the rules in the console by running
pfctl -sr
.Example tunnel subnet:
172.16.203.0/30
In Peer to Peer mode:pass in quick on ovpns5 reply-to (ovpns5 172.16.203.2) inet from 172.16.203.1 to any flags S/SA keep state label "USER_RULE: TESTRULE" label "id:1666896074" ridentifier 1666896074
In Remote Access mode:pass in quick on ovpns5 reply-to (ovpns5 172.16.203.2) inet from 172.16.203.0/30 to any flags S/SA keep state label "USER_RULE: TESTRULE" label "id:1666896074" ridentifier 1666896074
I'm running pfSense Plus 22.05 but also discovered this on 22.01. Is this a bug? If it is I'll see if I can submit it to Redmine. If it's not, I'm interested in the logic behind this decision.
Thanks!