<![CDATA[Where to add VIP interface rule ?]]>Hi,

I have setup VIP (10.10.13.1), FW1 (10.10.13.2 | Sub-Interface (VLAN13_Servers), FW2 (10.10.13.3 | Sub-Interface VLAN13_Servers).

I have set a reject any IPv4 rule on this Sub-Interface of FW1, and shutdown FW2 for testing.

Parent interface 1_Management_Trunk of Sub-Interface VLAN13_Servers is also added with a reject all IPv4 rule.

I have 2 VMs, 1 in 192.168.13.0/24 and other in 10.10.13.0/24 communicating with each other even with a reject rule.

I found out that if I disable the VIP (10.10.13.1 in FW1) the pings between the 2 VMs stops. So I'm understanding that this is because gateway of the VM in 10.10.13.0/24 network is set as 10.0.13.1 (VIP).

At this point I'm lost as to which interface to apply the block rule for traffic going through VIP gateway ?

Any thoughts ?

Thank You

]]>https://forum.netgate.com/topic/178432/where-to-add-vip-interface-ruleRSS for NodeSat, 06 Jun 2026 11:24:31 GMTThu, 02 Mar 2023 05:52:53 GMT60<![CDATA[Reply to Where to add VIP interface rule ? on Thu, 02 Mar 2023 11:02:39 GMT]]>@huud
Try Status > Filter Reload.
Had a similar issue yesterday as I had a pass rule removed before, and this solved it.

]]>https://forum.netgate.com/post/1091633https://forum.netgate.com/post/1091633Thu, 02 Mar 2023 11:02:39 GMT<![CDATA[Reply to Where to add VIP interface rule ? on Thu, 02 Mar 2023 10:55:28 GMT]]>@viragomann

I have only 1 rule which is block all IPv4 rule which is active on both Parent and VLAN Sub-Interface.

There is no floating rule added.

Even after clearing the states table the VM in 10 network is accessible.

]]>https://forum.netgate.com/post/1091631https://forum.netgate.com/post/1091631Thu, 02 Mar 2023 10:55:28 GMT<![CDATA[Reply to Where to add VIP interface rule ? on Thu, 02 Mar 2023 10:52:25 GMT]]>@huud
No, a VLAN interface is completely independent from the parent interface.

Basically pfSense blocks any traffic and you need to add rule to allow something.

So you have already cleared the states?

Consider the Rule Processing Order in pfSense.
If you have floating pass rules or rules on an interface group, which the concerned interface is a member of, these have higher priority.

]]>https://forum.netgate.com/post/1091630https://forum.netgate.com/post/1091630Thu, 02 Mar 2023 10:52:25 GMT<![CDATA[Reply to Where to add VIP interface rule ? on Thu, 02 Mar 2023 10:31:45 GMT]]>@SteveITS Thanks for clarifying that.

I can understand about the states now, but I could not understand in my case where a VIP is added on a VLAN Sub-Interface, will a block rule be added to the Parent or the VLAN Sub-Interface for the rule to take effect because I'm unable to understand where is the VIP interface ?

]]>https://forum.netgate.com/post/1091623https://forum.netgate.com/post/1091623Thu, 02 Mar 2023 10:31:45 GMT<![CDATA[Reply to Where to add VIP interface rule ? on Thu, 02 Mar 2023 06:25:44 GMT]]>@huud rules are processed in order on the interface on which the packet arrives.

If adding block rules ensure there are no existing/open states that would allow the traffic.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-table

]]>https://forum.netgate.com/post/1091590https://forum.netgate.com/post/1091590Thu, 02 Mar 2023 06:25:44 GMT