• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Inconsistent creation of default FW rules when building within HyperV

Scheduled Pinned Locked Moved Virtualization
4 Posts 3 Posters 342 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    DMease
    last edited by Sep 15, 2023, 1:43 PM

    Hi,

    On sharing some of my lab build details for pfSense, I received feedback to advise that some steps were not working. On investigating, we found the following:

    • When building a virtual pfSense FW (release pfSense-CE-2.4.5-RELEASE-p1-amd64), in HyperV, before installation, we had set 4 interfaces on the FW, and these were detected as WAN, LAN, OPT1 and OPT2 (expected)
    • Following the build, and before any custom rules were created, a host connected to the same vSwitch as FW OPT1 could not communicate with the OPT1 interface (tested with ICMP and HTTP). arp -a showed OPT1 MAC address in hosts arp cache. All IP addressing confirmed as OK.
    • Moving host briefly to the same vSwitch as LAN, addressing accordingly, and browsing to pfSense GUI, we saw that there were no default rules on OPT1, nor OPT2. This may be expected.

    However.... all of my previous builds (last week and earlier), where I ran through my own lab build steps myself, resulted in default rulesets being present after pfSense install. OPT1 and OPT2 had IPv4 any (protocol), any (src), any (dst) - different to LAN default rules, which consisted of anti-lockout, IPv4 any any any, and IPV6 any any any.

    One hypothesis is that I have lost my mind, and actually created the OPT1 and OPT2 rules myself - however I strongly believe I did not do that. Testing my own build guide myself now, however, I get the same results (no default rules on OPT1 nor OPT2).
    Second hypothesis is that HyperV has maybe updated recently (there was an OS upgrade), and the way that the installer interacts with HyperV has resulted in OPT1 and OPT2 not having default rules now (which does seem far-fetched... but this is niggling me...)

    Any thoughts appreciated on this. I am tempted to try builds on older Win10 and HyperV versions to see, but that way could lie further madness...

    In short - what is the expected outcome of building with additional interfaces (more than 2) - is it expected under normal circumstances that the OPTx interfaces start off with default rules?

    Many thanks,

    N S 2 Replies Last reply Sep 16, 2023, 1:54 AM Reply Quote 0
    • N
      NollipfSense @DMease
      last edited by Sep 16, 2023, 1:54 AM

      @DMease That's like old news...we're on 2.7...

      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

      1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @DMease
        last edited by Sep 16, 2023, 3:40 AM

        @DMease by default only LAN has rules.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        D 1 Reply Last reply Sep 17, 2023, 3:24 PM Reply Quote 0
        • D
          DMease @SteveITS
          last edited by Sep 17, 2023, 3:24 PM

          @SteveITS cheers :-) muchly appreciated

          That leaves me with the other option of me at some point configuring the OPT1 and OPT2 rules, in a way which I wouldnt normally configure them, then forgetting about it. Trip to the docs on the cards......

          Labbing multiple scenarios and builds can mess with your head - at least I have an answer now!

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received