Simple match on wan not working for inbound traffic



  • Hey everyone,

    Using the GUI, I've created a single simple floating match rule to test how pfsense matches packets on the wan interface.  I made sure to set "State Type" to "none"

    From /tmp/rules.debug:
    match log  on {  vr1  }  from any to any  label "USER_RULE: TEST MATCH FLOAT WAN"

    Then I monitor pflog0 and I only see "match out" on vr1. I don't see any "match in".

    If I ping an external host, I only see the first outgoing icmp request
    00:00:28.610961 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123 > 4.2.2.2: ICMP echo request, id 56714, seq 0, length 64

    For other traffic:
    00:00:00.002784 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51261 > 74.125.65.157.80: [|tcp]
    00:00:00.004398 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.55205 > 192.168.0.1.53: [|domain]
    00:00:00.169822 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51262 > 207.246.126.16.80: [|tcp]
    00:00:00.000131 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51263 > 207.246.126.16.80: [|tcp]
    00:00:00.000192 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51264 > 184.51.207.110.80: [|tcp]
    00:00:00.000141 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51265 > 184.51.207.110.80: [|tcp]
    00:00:00.106406 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51266 > 74.125.159.120.443: [|tcp]
    00:00:00.069077 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.58225 > 192.168.0.1.53: [|domain]
    00:00:00.068972 rule 36/0(match): unkn(11) out on vr1: 192.168.0.123.51267 > 204.11.51.34.80: [|tcp]

    Any ideas on how I can match an incoming packet on a specific interface?

    I'm using:
    2.0-RC3 (i386)  built on Thu Aug 18 00:28:50 EDT 2011
    Netgate ALIX.2D3/2D13



  • Okay so after some more testing, this appears as though it is state related.  I will see a "in on vr1" only when a new connection arrives on the vr1 interface.


Locked