Interface Groups - No IPsec tunnels listed

michmoor · Nov 3, 2023, 2:39 PM

Im looking to set up a security-zone esqe set up for my firewall rules so i wanted to group a few of my IPsec tunnels together as they will share a similar rule set.
When i go to click add to add my group members, all my interfaces are listed there but not my ipsecX interfaces.
Maybe i thought this was just a limitation in that you cant select VPN interfaces but then i noticed i see my wireguard 'tun_wgX' interfaces listed.

My ipsecX interfaces are assigned on the firewall. So not sure why its not showing up.

michmoor · Nov 5, 2023, 10:43 PM

@stephenw10 Any idea on this?
Im hesistent to open up a redmine because im not entirely sure its a "bug".
I have IPsec, Wireguard,OpenVPN technologies and only IPsecX tunnels are the ones i cant set up for interface groups. They are set up as VTI interfaces so maybe thats a problem?

stephenw10 · Nov 5, 2023, 10:44 PM

It's probably because the IPSec group already covers all IPSec tunnels unless you have switched the filtering mode.

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/firewall-rules.html#tunneled-ipsec-traffic-from-remote-to-local

michmoor · Nov 5, 2023, 10:53 PM

@stephenw10
hmm. So i can have VTIs and per-interface filtering but cannot do VTI and grouping?

My goal was to have IPsec1 and IPsec2 to be in the same group or "zone" and to have similar policies. Im also running dynamic routing hence the VTI need.

stephenw10 · Nov 6, 2023, 1:58 PM

It's probably possible now but not implemented yet. VTI interfaces were deliberately excluded from groups because when they were introduced rules added to them had no effect.

Now we have a way to move filtering onto the VTI interfaces they could likely be added back but it would require some logic there to allow it.

See: https://redmine.pfsense.org/issues/11134

You could comment out he code to allow it
https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/interfaces_groups_edit.php#L54

Steve

michmoor · Nov 6, 2023, 1:58 PM

@stephenw10
Oh man...this is nice.
Ok let me try this out and let you know. Do i restart the webconfigurator once i commented out line 55-59 ?

Also if putting in the ability to see it in the GUI is just a comment, why cant it done with an update (23.09)?

stephenw10 · Nov 6, 2023, 2:31 PM

It needs some logic there to allow it only if filtering has been moved. But then would it also need code to remove it if the filtering is switched back? It needs more than just enabling again but doing that to test it is the first step.

michmoor · Nov 6, 2023, 4:31 PM

@stephenw10

Works without issues once i commented out the section you told me.
So for next steps, should i open up a redmine to get this looked at or will you post a note internally to get the code rectified as you mentioned?

Nice quick fix Steve, seriously. I love it.

login-to-view

stephenw10 · Nov 6, 2023, 4:33 PM

Yes, open it as a feature request and we can look into what else this might affect and how to implement it safely.

michmoor · Nov 6, 2023, 4:55 PM

@stephenw10
Done.
Appreciate your quick assist on this.