Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense redirecting traffic from `192.0.0.0/8` to LAN on every interface, no idea why

    Scheduled Pinned Locked Moved NAT
    firewall rulesredirect
    2 Posts 1 Posters 206 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Anaerin
      last edited by

      Looking through all the rules I have set, none of them reference 192.0.0.0 in any way, but at the very end of the firewall rules I find

      @164 rdr on pkg_tinc inet proto udp from any to <public IP, Redacted> port = 32400 tag PFREFLECT -> 127.0.0.1 port 19000
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 40131 State Creations: 0     ]
  [ Last Active Time: N/A ]
@165 rdr on bge0 inet from any to 192.0.0.0/8 -> 10.0.0.0/8 bitmask
  [ Evaluations: 229132    Packets: 5756      Bytes: 369505      States: 1202  ]
  [ Inserted: uid 0 pid 40131 State Creations: 1745  ]
  [ Last Active Time: N/A ]
@166 rdr on gif0 inet from any to 192.0.0.0/8 -> 10.0.0.0/8 bitmask
  [ Evaluations: 38971     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 40131 State Creations: 0     ]
  [ Last Active Time: N/A ]
@167 rdr on WireGuard inet from any to 192.0.0.0/8 -> 10.0.0.0/8 bitmask
  [ Evaluations: 38971     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 40131 State Creations: 0     ]
  [ Last Active Time: N/A ]
@168 rdr on pkg_tinc inet from any to 192.0.0.0/8 -> 10.0.0.0/8 bitmask
  [ Evaluations: 38970     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 40131 State Creations: 0     ]
  [ Last Active Time: N/A ]
@0 binat on tun_wg0 inet from 10.0.0.0/8 to any -> 192.0.0.0/8
  [ Evaluations: 474029    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 40131 State Creations: 0     ]
  [ Last Active Time: N/A ]

      This means I can't get to any actual site on the internet in the 192.x block. The 32400 port forward is the last one of my defined rules, and this block of rules appears to be being added after that. It persists after a restart, and I have no idea where it's coming from.

      A 1 Reply Last reply Reply Quote 0
      • A
        Anaerin @Anaerin
        last edited by

        @Anaerin
        It looks like the issue is Wireguard. Disabling Wireguard, removing it's interface, tunnel and peers removes the rules.

        Quite why Wireguard is grabbing the wrong subnet for the VPN subnet and redirecting it to the local net is an issue.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.