Static route filtering



  • I have now upgraded to 2.0.1 from 1.2.3 and the "Bypass firewall rules for traffic on the same interface" setting (in System: Advanced: Firewall and NAT) appears to have stopped working.

    I have another gateway on the LAN and have a route on the pfSense to access the hosts behind this gateway. After the upgrade these hosts could not be accessed and I checked the "Bypass firewall rules for traffic on the same interface" which was ticked. I then un-ticked, saved, re-ticked and saved again but this still exhibited the same behaviour.

    I checked the firewall log and this showed the traffic as being blocked at the pfSense.

    Is this a bug with 2.0.1?



  • Did you check your gateway and routing settings? I had the same kind of setup and after the upgrade, I didn't have any problems. Though, my LAN rules are wide open.



  • @podilarius:

    Did you check your gateway and routing settings? I had the same kind of setup and after the upgrade, I didn't have any problems. Though, my LAN rules are wide open.

    As a test I pinged the next hop on the other gateway. If I then add a rule to block this the pings no longer work, I also logged this rule and it showed that the rule that I created was blocking the pings.

    With the "Bypass firewall rules for traffic on the same interface" setting this should just pass the traffic as it is coming in on the LAN interface and leaving on the LAN interface.



  • Could you sanitize /tmp/rules.debug and post? Perhaps you can copy a set of them, one without the option and one with. Then you can diff them to see if there were any changes.



  • @podilarius:

    Could you sanitize /tmp/rules.debug and post? Perhaps you can copy a set of them, one without the option and one with. Then you can diff them to see if there were any changes.

    Very confused  ??? I can see the rules being created in rules.debug:

    pass quick on $LAN proto tcp from 172.22.0.0/16 to 10.128.0.0/9 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
    pass quick on $LAN from 172.22.0.0/16 to 10.128.0.0/9 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass quick on $LAN proto tcp from 10.128.0.0/9 to 172.22.0.0/16 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
    pass quick on $LAN from 10.128.0.0/9 to 172.22.0.0/16 keep state(sloppy) label "pass traffic between statically routed subnets"
    

    But the default Deny rule or a user created Block rule still seems to stop the traffic going to this subnet?



  • Is the user created rule above or below the rules you posted? The default deny rule is above is is not a quick rule so that is going to be the action that is taken if traffic does not match any other rule.


Locked