Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Firewall Rules doesn't work on Interface Group

    2.0-RC Snapshot Feedback and Problems - RETIRED
    3
    15
    3962
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      ggzengel last edited by

      I have a group of a pppoe-wan (tdsl) and a dhcp-wan (cable).
      If i make a rule on this group it only works on the dhcp-wan.
      I must make explicit this rule to the pppoe-wan too.

      2.0-BETA4 (amd64) built on Sun Dec 5 09:21:21 UTC 2010

      rules.debug.TXT

      1 Reply Last reply Reply Quote 0
      • E
        eri-- last edited by

        Can you please try with a new snapshot of tomorrow.
        I just checked in a fix for this.

        1 Reply Last reply Reply Quote 0
        • J
          jlepthien last edited by

          Weird. I am using this for two LAN interfaces and there it worked for some time now, including the latest snap…

          | apple fanboy | music lover | network and security specialist | in love with cisco systems |

          1 Reply Last reply Reply Quote 0
          • G
            ggzengel last edited by

            I have 2 interfaces on 1 physical nic:
            1 static ip to access the dsl-modem (FRITZNET)
            1 pppoe interface for wan (TDSL)

            1 Reply Last reply Reply Quote 0
            • J
              jlepthien last edited by

              Okay. I have got two physical interfaces I've put into one group. That is probably the difference…

              | apple fanboy | music lover | network and security specialist | in love with cisco systems |

              1 Reply Last reply Reply Quote 0
              • E
                eri-- last edited by

                Yeah dynamic interfaces come and go and that is the problem i fixed.
                When they disappear they get removed from the group automatically and i made sure that when they reappear they get added to the group again.

                1 Reply Last reply Reply Quote 0
                • G
                  ggzengel last edited by

                  i tried it with
                  2.0-BETA4 (amd64) built on Mon Dec 6 16:52:00 UTC 2010
                  but nothing changed.

                  Could it be of my config?
                  I put an static ip on em0 (192.168.178.99 called fritznet) to reach my dsl modem.
                  Again i put the pppoe interface to em0 for wan (called tdsl)
                  On interface em1 I put an dhcp-wan (called cable).

                  Than I put tdsl (ppp0e on em0) with cable (dhcp on em1) together in a group.

                  1 Reply Last reply Reply Quote 0
                  • E
                    eri-- last edited by

                    Might not have the patch still.

                    1 Reply Last reply Reply Quote 0
                    • G
                      ggzengel last edited by

                      Right. I still see function interface_gif_configure(&$gif) in interface.inc

                      ok. next cycle…

                      1 Reply Last reply Reply Quote 0
                      • G
                        ggzengel last edited by

                        It should now work.
                        But I couldn't check it really because with the old snapshot from nov 4 i could ping both wan interfaces from outside.
                        But it doesn't work any more.

                        If i ping wan2 with ip2 the packet will leave wan1 but with ip2 (from wan1).

                        Until now i didn't understand where to put rules for packets which will come from the pfsense.
                        And i thought routing decisions where made from the states table.

                        1 Reply Last reply Reply Quote 0
                        • G
                          ggzengel last edited by

                          I found the problem in system log:
                          IPSEC interface is not WAN but opt1, adding static route for VPN endpoint 1.1.1.1 via 2.2.2.2

                          Do you think this must be?

                          1 Reply Last reply Reply Quote 0
                          • E
                            eri-- last edited by

                            Sorry not following you and not really understanding your response.

                            1 Reply Last reply Reply Quote 0
                            • G
                              ggzengel last edited by

                              Sorry. I speak about the second problem which i had.
                              First, the group rules are working fine. Thanks.

                              Second, while i was testing the rule i had the problem that i never could ping the pppoe wan.
                              After a long search and changing default gateways and routing rules, i found out that there is a fixed routing path.

                              IPSEC interface is not WAN but opt1, adding static route for VPN endpoint 1.1.1.1 via 2.2.2.2
                              
                              

                              The gui didn't reflect this behavior.
                              Why adding a static route, if we have routing options and routing rules?

                              While i was dealing with this second problem i got some questions:

                              scenario:
                              wan1 has 1.1.1.1.
                              wan2 has 2.2.2.2.
                              default route over wan1
                              I ping wan2 from outside

                              1. What are the exact routing rules? Does the states table control the routes?
                              2. Why does packets, which leaves wan1 have (spoofed?) source ip 2.2.2.2?
                              3. How to create rules, that packet with source ip 2.2.2.2 which leaves wan1 changed to source ip 1.1.1.1?
                              3. How to create rules, that packet with source ip 2.2.2.2 leaves wan2?

                              1 Reply Last reply Reply Quote 0
                              • E
                                eri-- last edited by

                                Hmm i can give you some classes on pfSense online :)

                                Well the problem is that we need to force packets of VPN to the correct interface because the way ipsec works in freebsd.
                                You cannot push PBR(policy based routing) for ipsec since pfSense denies it by nullifying that effect for ipsec traffic.
                                Teh static route is create to make life easy to the user rather than requiring him to add that.

                                1 Reply Last reply Reply Quote 0
                                • G
                                  ggzengel last edited by

                                  Hmm i can give you some classes on pfSense online

                                  OK. How much?
                                  But first I must lern to count. :)

                                  1. What are the exact routing rules? Does the states table control the routes?
                                  2. Why does packets, which leaves wan1 have (spoofed?) source ip 2.2.2.2?
                                  3. How to create rules, that packet with source ip 2.2.2.2 which leaves wan1 changed to source ip 1.1.1.1?
                                  3. How to create rules, that packet with source ip 2.2.2.2 leaves wan2?

                                  Do you think 3 and 3 is possible?

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post