Firewall Rules doesn't work on Interface Group



  • I have a group of a pppoe-wan (tdsl) and a dhcp-wan (cable).
    If i make a rule on this group it only works on the dhcp-wan.
    I must make explicit this rule to the pppoe-wan too.

    2.0-BETA4 (amd64) built on Sun Dec 5 09:21:21 UTC 2010

    rules.debug.TXT



  • Can you please try with a new snapshot of tomorrow.
    I just checked in a fix for this.



  • Weird. I am using this for two LAN interfaces and there it worked for some time now, including the latest snap…



  • I have 2 interfaces on 1 physical nic:
    1 static ip to access the dsl-modem (FRITZNET)
    1 pppoe interface for wan (TDSL)



  • Okay. I have got two physical interfaces I've put into one group. That is probably the difference…



  • Yeah dynamic interfaces come and go and that is the problem i fixed.
    When they disappear they get removed from the group automatically and i made sure that when they reappear they get added to the group again.



  • i tried it with
    2.0-BETA4 (amd64) built on Mon Dec 6 16:52:00 UTC 2010
    but nothing changed.

    Could it be of my config?
    I put an static ip on em0 (192.168.178.99 called fritznet) to reach my dsl modem.
    Again i put the pppoe interface to em0 for wan (called tdsl)
    On interface em1 I put an dhcp-wan (called cable).

    Than I put tdsl (ppp0e on em0) with cable (dhcp on em1) together in a group.



  • Might not have the patch still.



  • Right. I still see function interface_gif_configure(&$gif) in interface.inc

    ok. next cycle…



  • It should now work.
    But I couldn't check it really because with the old snapshot from nov 4 i could ping both wan interfaces from outside.
    But it doesn't work any more.

    If i ping wan2 with ip2 the packet will leave wan1 but with ip2 (from wan1).

    Until now i didn't understand where to put rules for packets which will come from the pfsense.
    And i thought routing decisions where made from the states table.



  • I found the problem in system log:
    IPSEC interface is not WAN but opt1, adding static route for VPN endpoint 1.1.1.1 via 2.2.2.2

    Do you think this must be?



  • Sorry not following you and not really understanding your response.



  • Sorry. I speak about the second problem which i had.
    First, the group rules are working fine. Thanks.

    Second, while i was testing the rule i had the problem that i never could ping the pppoe wan.
    After a long search and changing default gateways and routing rules, i found out that there is a fixed routing path.

    IPSEC interface is not WAN but opt1, adding static route for VPN endpoint 1.1.1.1 via 2.2.2.2
    
    

    The gui didn't reflect this behavior.
    Why adding a static route, if we have routing options and routing rules?

    While i was dealing with this second problem i got some questions:

    scenario:
    wan1 has 1.1.1.1.
    wan2 has 2.2.2.2.
    default route over wan1
    I ping wan2 from outside

    1. What are the exact routing rules? Does the states table control the routes?
    2. Why does packets, which leaves wan1 have (spoofed?) source ip 2.2.2.2?
    3. How to create rules, that packet with source ip 2.2.2.2 which leaves wan1 changed to source ip 1.1.1.1?
    3. How to create rules, that packet with source ip 2.2.2.2 leaves wan2?



  • Hmm i can give you some classes on pfSense online :)

    Well the problem is that we need to force packets of VPN to the correct interface because the way ipsec works in freebsd.
    You cannot push PBR(policy based routing) for ipsec since pfSense denies it by nullifying that effect for ipsec traffic.
    Teh static route is create to make life easy to the user rather than requiring him to add that.



  • Hmm i can give you some classes on pfSense online

    OK. How much?
    But first I must lern to count. :)

    1. What are the exact routing rules? Does the states table control the routes?
    2. Why does packets, which leaves wan1 have (spoofed?) source ip 2.2.2.2?
    3. How to create rules, that packet with source ip 2.2.2.2 which leaves wan1 changed to source ip 1.1.1.1?
    3. How to create rules, that packet with source ip 2.2.2.2 leaves wan2?

    Do you think 3 and 3 is possible?


Log in to reply