Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Bypass firewall rules for traffic on the same interface and additional networks

    Firewalling
    1
    1
    6134
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AndiSHFR last edited by

      Hello.

      Actually i was not sure if i had to post the issue in "Routing and Multi WAN" - anyway…

      We are using a pfSense 1.2.1-RC2 as the NAT/Firewall/Gateway to the internet.

      The internal network is divided into several VLANs which all are handled by a central switch.
      The default gateway of the switch points to the internal nic of the pfSense (172.10.100.10).

      There is a static route on the pfSense for the LAN interface which points back
      to the switch to make the VLANs work.

      LAN: 172.10.0.0/16 -> 172.10.100.1

      Now we had to add another appliance (172.10.100.22) for an IPSec connection to a customers site (network 10.140.1.0/24).

      Network layout looks like:

      VLANs (172.10.20.0/24, 172.10.21.0/24, 172.10.22.0/24)
                |              |                |
            +–----------------------------------------+
            | central switch managing VLANs            |
            | def. route 0.0.0.0/0 -> 172.10.100.10    |
            +------------------------------------------+
                                |  172.10.100.1
                  +--------------+-------------+
      VLAN 100    |                            |
                  |                            |
                  | 172.10.100.10              | 172.10.100.22
            +-----------------+            +--------------------+
            | pfSense        |            | IPSec Appliance    |
            +-----------------+            +--------------------+       
                  : (static public ip)              : ( static public ip)
                  :                                :

      There is a route on the ipsec appliance pointing to the VLANs via 172.10.100.1 (likewise on the pfSense)

      We started to add another static route on the pfSense to route traffic for 10.140.1.0/24 over to the ipsec appliance.

      LAN: 10.140.1.0/24 -> 172.10.100.22

      The pfSense will not handle the connections correctly even with
      the option "Bypass firewall rules for traffic on the same interface" set.

      The tcp connections like rdp die after 20 seconds.
      It looks like the connection is handled by the state inspection code of the firewall and it is
      well known that this is not possible on a firewall with traffic entering and leaving the same interface.

      I had a look using the status.php on the "pfctl -sr" results and they show something interesting:

      …
      pass in quick on em1 inet from 172.10.100.0/24 to 172.10.0.0/16 no state label "pass traffic between statically routed subnets"
      pass in quick on em1 inet from 172.10.0.0/16 to 172.10.100.0/24 no state label "pass traffic between statically routed subnets"
      pass out quick on em1 inet from 172.10.100.0/24 to 172.10.0.0/16 no state label "pass traffic between statically routed subnets"
      pass out quick on em1 inet from 172.10.0.0/16 to 172.10.100.0/24 no state label "pass traffic between statically routed subnets"

      pass in quick on em1 inet from 172.10.100.0/24 to 10.140.1.0/24 no state label "pass traffic between statically routed subnets"
      pass in quick on em1 inet from 10.140.1.0/24 to 172.10.100.0/24 no state label "pass traffic between statically routed subnets"
      pass out quick on em1 inet from 172.10.100.0/24 to 10.140.1.0/24 no state label "pass traffic between statically routed subnets"
      pass out quick on em1 inet from 10.140.1.0/24 to 172.10.100.0/24 no state label "pass traffic between statically routed subnets"
      ...

      Opps. What's that on the lower four rules (the ones for the ipsec network)?

      The auto generated rules which are enabled via "Bypass firewall rules for traffic on the same interface"
      option indeed only cover the LAN network of the pfSense! So the text of the option:

      "This option only applies if you have defined one or more static routes. If it is enabled, traffic that
      enters and leaves through the same interface will not be checked by the firewall. This may be desirable
      in some situations where multiple subnets are connected to the same interface."

      is missleading. It makes the user believe that this is true for ANY internal LAN (available via a static route).
      Actually it is only true for traffic originating or ending in the LAN network (172.10.100.0/24) of the pfSense.

      It works for the traffic coming from the VLANs and ending at the pfSense, but it does not work for the kind of traffic
      where the pfSense has to receive traffic from a VLAN and route it to the IPSec LAN (i.e. 172.10.21.23 -> 10.140.1.51 ).

      Note: The really bad thing is… we tested this all using ping (ICMP) and got fooled because
            pinging the partners (incl. tracert) showed correct results.

      Ok. no problem i thought... lets add a manual firewall rule and use the "State Type" option "none" - but.....

      pfctl -sr shows for this entry:

      pass in quick on em1 inet proto tcp from 172.10.0.0/16 to 10.140.1.0/24 flags S/SA keep state label "USER_RULE: Permit internal VPN traffic to customer"

      So for this rule the "keep state" is active even if "none" is selected in the firwall_rule_edit.php page.
      Well - and this only covers a "pass in" and there is no chance to create a "pass out". :-(

      I already pulled my hair out about this and did not came to an easy solution.
      Any ideas how to come around this?

      Regards
      Andi

      Finally i thing the only solution is a switch which can handle static routes and place the static routes to the VPN partners there. :-(

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense Plus
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy