Firewall rules not working for interface groups?

  • I've just set up a new pfSense 2.0rc3 unit.  Working great for the most part.

    Can someone explain to me the "floating rules" vs. assigning uplink interfaces to a group and applying rules to that?  Because I tried to assign some 'pass' rules to an Interface Group named 'Uplinks' that contains my WAN and OPT1 interfaces (both active and alive) and set this to allow 'ICMP'  but it did not work.  Had to delete the group and manually add 'pass' rules to each interface (wan, opt1) and only then did it start working.  Is this a bug or a misunderstanding of this feature on my part?

    btw: running 2.0-RC3 (i386) built on Mon Jul 4 17:29:15 EDT 2011 on Netgate Hamakua (1G-nanobsd build)

  • Depends on what you're trying to do. Interface groups work fine, not sure what you were attempting from the description.

  • I was attempting to create an interface group called "uplinks" that contain both my WAN and OPT1 interfaces (both of these are internet-facing).  I then wanted to create a few rules that apply to this group (e.g. allow ICMP, allow SSH, allow HTTPS).

    When I tried this, it didn't work, I was only able to access those services via the WAN interface, not OPT1, even though OPT1 was part of the interface group, and I was adding these rules to the newly created group's tab under Firewall rules.  When I deleted all of that and went back to the "old way" of doing things (duplicating the rules for each individual interface) things worked fine.

    So it seemed like a bug to me.

  • Hm, I just set that up yesterday in a different scenario and it worked, but did the same there and it only applies to the second interface.

  • okay, glad it wasn't just me  :)
    thanks for looking into it!

Log in to reply