Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rules ignored when gateway set other than default?

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anatolidt
      last edited by

      wan1 on nic1 static ip (default), wan2 on nic2 static ip
      routing group pool1=wan1+wan2 failover
      vlan1 on nic3, vlan2 on nic3
      captive portal on vlan1
      pfsense 2.01

      rules on vlan1:

      1. allow src:vlan1.net -> dest:vlan2.host1 gw:* port:21
      2. allow src:vlan1.net -> dest:any gw:pool1 port:alias1(=80,443)

      if the last rule (2.) sets an gateway other then default, ANY traffic
      vom vlan1 is passed to anywhere on any port!

      i can for example rdp host_x on any net even if rdp is not allowed anywhere on vlan1.

      The rule that triggered this action is:

      @348 pass in log quick on em0_vlan1 inet proto tcp from vlan1-network/24 to <negate_networks:18>flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"

      I don't understand this, this has nothing to do with deny everything which isn't explicitly allowed.
      Any clarification appreciated.

      Thanks
      Anatol</negate_networks:18>

      1 Reply Last reply Reply Quote 0
      • A
        anatolidt
        last edited by

        ok, found this:
        http://redmine.pfsense.org/issues/2132

        so is this considered a bug?

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          it should be shown to the user, and probably not as permissive as it is in that particular instance.
          http://redmine.pfsense.org/issues/2367

          2.1 has an option under System>Advanced to disable negate rules entirely. Or you can just comment that line out in /etc/inc/filter.inc to accomplish the same, then when you upgrade to 2.1 when it's out just make sure you check that box.

          1 Reply Last reply Reply Quote 0
          • A
            anatolidt
            last edited by

            thank's for that.
            But will disabling negate rules in 2.1 mean you can't specify gateways/gw-groups anmore?
            Maybe I just don't really get the route negation thing… I only found
            http://doc.pfsense.org/index.php/Multi-WAN_2.0#Policy_Route_Negation

            Shouldn't specifying a gateway leave rules intact? What exactly gets "negated" when a gateway
            is defined in rule? If its just greayed out on creation, it would mean that someone has to add block
            rules before the (final) gateway rule, right? Maybe someone can help me out with that.

            some draft example, let's say for an wlan-zone:
            1. allow to virus-update in dmz1, default gw
            2. allow to mailservices in dmz2, default gw
            3. allow rdp to some machines in zone_x
            (!)4. disallow everything to all zones (maybe alias for dmz1,dmz2,zone_x)
            5. allow standard web-service ports to anywhere using defined gateway/gw-group
            (greyed out in 2.1?)6. this route negation stuff rule allowing everything ;-)

            has it to look like this when defining gateway in a rule?

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              it negates policy routing, you just have to add your own rules if you remove it to not force traffic out to a wrong gateway.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.