Catch traffic from alias ip?



  • Hi, is it possible to catch the in/out traffic generated from an alias ip on the same pfsense box?

    Lets say that i want to use the scp command tool (on the same pfsense box) to copy files from a WAN host to the pfsense box, and so i set it to start the connection using an alias ip "192.168.2.3" rather than using the default lan ip "192.168.2.1", somehow adding a quick match floating rule at the very top with source address 192.168.2.3 isn't working at all, however, it does work for traffic coming in from the wan iface. Am I doing something wrong with the rules, please see attached my floating rules config.

    Or it's just not possible with the current pfsense 2.0 at this time? would greatly appreciate any hint to help me catch this traffic going out from the pfsense box to the wan interface through an IP alias. Thanks!

    ![Screen shot 2011-06-01 at 18.26.06.png](/public/imported_attachments/1/Screen shot 2011-06-01 at 18.26.06.png)
    ![Screen shot 2011-06-01 at 18.26.06.png_thumb](/public/imported_attachments/1/Screen shot 2011-06-01 at 18.26.06.png_thumb)
    ![Screen shot 2011-06-01 at 18.25.50.png](/public/imported_attachments/1/Screen shot 2011-06-01 at 18.25.50.png)
    ![Screen shot 2011-06-01 at 18.25.50.png_thumb](/public/imported_attachments/1/Screen shot 2011-06-01 at 18.25.50.png_thumb)


  • Rebel Alliance Developer Netgate

    The screenshot it cut down so much it's impossible to tell if what you're doing would work.

    You can block traffic to/from an IP alias fine, depending on where the rules are and how they are setup. On the per-interface tabs, the rules can only affect incoming traffic so a source IP there of the IP alias on that box itself would never be hit.

    If that is a floating rule on that same interface, in the 'out' direction, then you could match with the source IP of the IP alias.



  • Hi jimp, thanks a lot for the help! I went again to try with some more floating rules configs but no matter how i set it, what combination i use i can't manage to catch the traffic going out (to the WAN interface) of the pfsense box itself through the alias IP, i did however noticed that packets are being sent from the WAN ip instead, could it be that the connections are being initiated directly from the WAN IP instead of the alias IP even though i set in the app i use (on the pfsense server) to initiate any connection through the alias IP?

    I've attached the netstat output just to show the tcp/udp connections are being initiated from the alias ip as it should but still not being caught by the filters!

    Again, thanks for the help, almost lost all hope on getting a reply  :P

    ![Screen shot 2011-06-06 at 14.06.03.png](/public/imported_attachments/1/Screen shot 2011-06-06 at 14.06.03.png)
    ![Screen shot 2011-06-06 at 14.06.03.png_thumb](/public/imported_attachments/1/Screen shot 2011-06-06 at 14.06.03.png_thumb)




  • Rebel Alliance Developer Netgate

    Ah, well I suppose I may have had a few bits mixed up then. If it goes out the WAN interface it would have had NAT applied at that point. The filter rules happen after NAT. So if you are going from an alias on LAN, then out WAN, there isn't likely going to be a way to catch that traffic with a rule in that way. You could block it in effect by switching to manual outbound NAT, and adding a rule at the top to just not NAT traffic from that IP alias. (Or you could NAT it to another IP on the WAN subnet if you have one available, then filter on that).



  • I see, my intention was to run everything on that box (a firewall, gateway and seedbox) and my idea was to catch all the traffic from the seedbox using an alias IP and then set it to go to the P2P traffic shaping queue but the filter can't catch the traffic going out the WAN on the box itself, wether its an alias IP or the real lan IP, just any upload or traffic going out the WAN iface initiated from the pfsense box itself is bypassing the traffic shaper according to my tests.

    It does works with incoming traffic, i can see the incoming packets to the alias IP being caught and queued into the P2P queue, but unfortunately it seems it doesn't work the other way for outgoing packets. So, i guess i'll have to think on doing this in some other way, perhaps deploying pfsense using vmware ESX or some other virtualization technology so i'd run pfsense + a separate OS on the same box to get the seedbox traffic shaped.

    Thanks again for clearing up this :)


Log in to reply