Traffic through IPSec Tunnel *not* respecting firewall rules



  • So - I have a feeling this is a 'broken' behavior, and I'm likely to reboot this (production) firewall tonight at about midnight eastern time to try to resolve this, but:

    • pfSense 2.0.1-RELEASE

    • amd64

    • Virtual Machine on VMWare vSphere environment (ESXi 5.0 I believe)

    This machine is handling an IPSec tunnel.  Local network (10.136.1.0/24), remote network 192.168.50.0/24.

    I had created firewall rules on the IPSec interface allowing only traffic from 10.136.1.31 to 192.168.50.99.

    So imagine my surprise when I was able to ping everything on 192.168.50.0/24.

    Eventually I replaced the rule- the only active rule in the IPSec tab - with a BLOCK * * * * * rule.  Still no dice-  I can ping everything.

    Background info: This may have been caused by a 'disk issue' - the SAN at the datacenter this system is running at dropped connectivity briefly, meaning there are a few disk read/write errors in the logs.  So - I'm guessing a reboot will fix this issue.

    However- no matter what the cause, I'm kinda surprised that a failure mode would be 'passing traffic that we have excluded.'  Funny!

    Question 1: Do changes in the IPSec FW rules like,  not apply until the tunnel drops & re-establishes?

    Question 2:  Do any of the devs want me to send them /tmp/rules.debug contents?

    I'd like to help get some of this info, if possible, to the devs, if this is actually a case where a hardware glitch or failure causes a pfSense device to start disregarding certain FW rules!



  • So - the issue persists after a reboot.  So now I'm concerned, heh.


  • Rebel Alliance Developer Netgate

    You have the purpose of that tab confused. The rule tabs only filter in the inbound direction. Thus, your local network can never be a source on the IPsec tab, it can only be a destination.

    To filter that traffic, you need to do so on the local interface where the traffic enters the firewall (e.g. LAN)

    Alternately, create a rule on the floating tab, ipsec interface, quick checked, outbound direction, and then block/pass as you want.



  • Yikes!  Is this behavior different than 1.2.3, or have I been building my IPSec-related firewall rules incorrectly for X years?


  • Rebel Alliance Developer Netgate

    It's always been that way, since the start.



  • @jimp:

    It's always been that way, since the start.

    Woof!  Who ever said you can't teach an old dog new tricks!  I was always wondering why firewall rules for IPSec were defined differently than all the other interfaces - the answer being "they aren't."

    Guess I lucked out that none of the IPSec tunnels I've used before actually needed restrictive rules.  :-\

    Thanks for the help!


Log in to reply