Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why do no floating rules match?

    Scheduled Pinned Locked Moved Firewalling
    26 Posts 5 Posters 2.3k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator @Rockojfonzo
      last edited by

      @Rockojfonzo where are those 2 networks at exactly connected to pfsense?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      R 1 Reply Last reply Reply Quote 0
      • R Offline
        Rockojfonzo @johnpoz
        last edited by Rockojfonzo

        @johnpoz 192.168.100.0 is the remote side of the Wireguard tunnel (tun_wg0 so to say), 192.168.11.0 is on LAN (igc1)

        I can match to destination 192.168.100.100:445 on LAN (which is "in" on LAN, out to Wireguard), but I need to limit (and therefore match) the packets that go out on LAN.

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @Rockojfonzo
          last edited by johnpoz

          @Rockojfonzo I for sure do not know enough about how/where the firewall ties into the wireguard interface, etc.

          Might be better to bring this up in the wireguard section.. On how to set limiters on this.. This seems like more related to that than actual firewall where packets enter and leave a physical interface or vlan.

          Same could be related to say an ipsec or openvpn tunnel.. I have never tried tried or wanted to set a limit on such a connection. I have put some firewall rules on the openvpn interface - but never tried to match traffic so I could limit, etc. Maybe its just not possible, or need to do it a different way then match in a firewall rule?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          1 Reply Last reply Reply Quote 0
          • patient0P Offline
            patient0 @Rockojfonzo
            last edited by

            @Rockojfonzo No worries, wouldn't do if I'm not interested. And I can't let go :) ... a SysAdmin thing, no sure.

            After replacing the UPD simple-server with a Wireguard tunnel I observe the same as you, nothing gets logged.

            Even if I enable logging for the default 'Wireguard' interface - in the firewall rules - allow-all-ip6 generic rule. The rules works and I can ping the pfSense from outside with it but it does not get logged. Not sure if that's a bug a limitation.

            I guess @johnpoz suggestion makes sense to ask it in the wireguard section.

            R 1 Reply Last reply Reply Quote 0
            • R Offline
              Rockojfonzo @patient0
              last edited by

              @patient0 Yeah, I read a lot about traffic shaping and VPN in the last days. That's why I didn't dream about doing something in the tunnel. But at least on the WAN interface or the (to my understanding) "de-VPNed" packets on the LAN interface should be "loggable".

              However, thank you guys for all your energy and insights. I'll head over to the wireguard section and nag people there. ;-)
              AND I will set up a similar thing on a pristine sophos xg that sits here and waits for installation. Let's see if it's worth the money. >:-)

              1 Reply Last reply Reply Quote 0
              • R Rockojfonzo referenced this topic on
              • R Offline
                Rockojfonzo
                last edited by

                Last notice on this: I built a setup with a Sophos XGS which doesn't support wireguard but IPsec. There I could track traffic (but only on non-floating rules!) without any problems, matching on addresses and/or ports.
                So it seems to be only wireguard-related.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.