Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [2.0.1] Bypass firewall rules for traffic on the same IF inop [fixed] chk plz

    Firewalling
    1
    3
    2044
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      namezero111111
      last edited by

      Dear folks,

      We have asymmetric routing for a VPN gateway on the LAN interface. Therefore, we use the "Bypass firewall rules for traffic on the same interface" option under Advanced on the PFSense default gateway.
      The problem is that after a short time, the PFSense gateway stops forwarding packets to the gateway on the same network.

      Here's the layout:

      rt1    vpn1
      |–-----|
        |
      client

      RT1 is supposed to redirect/forward 192.168.0.0/16 through vpn1. (Asymmetric routing).

      http://redmine.pfsense.org/issues/1950 states that this was a problem in 2.0.

      We are running 2.0.1 Release.

      However, these four rules here are still at the very bottom of rules.debug under the userrules anchor:

      pass quick on $EKHNET proto tcp from 192.168.16.64/26 to 192.168.0.0/16 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
      pass quick on $EKHNET from 192.168.16.64/26 to 192.168.0.0/16 keep state(sloppy) label "pass traffic between statically routed subnets"
      pass quick on $EKHNET proto tcp from 192.168.0.0/16 to 192.168.16.64/26 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
      pass quick on $EKHNET from 192.168.0.0/16 to 192.168.16.64/26 keep state(sloppy) label "pass traffic between statically routed subnets"

      My question is is this normal?
      Because the Bypass option seems to be broken for us… For example, if a user tried uploading data via VPN, the connection breaks after about 300kbs, and then fails.
      If I manually add the 192.168.0.0/16 route to client, then everything works perfectly. Both rt1 and vpn1 run on pfsense.

      Any help would be greatly appreciated!

      1 Reply Last reply Reply Quote 0
      • N
        namezero111111
        last edited by

        I would just like to add that this only happens if redirects are not honored by the client. Because if they are, the connection is handed off to the second router (vpn1) before the issue occurs.

        Has no one experienced this?

        Essentially, the rt1 router stops forwarding packets to vpn1 on behalf of client after about 300 kbytes (I assume it's a fixed number of packets actually). I thought the bypass checkmark was supposed to take care of exactly that, was is not?

        1 Reply Last reply Reply Quote 0
        • N
          namezero111111
          last edited by

          Ok, guys, I just switched the bypass rules in the user anchor to be the first in the rules. For this I have changed filter.inc

          Please find a unified diff file attached that fixes the problem

          @The admins/devs: Should I commit this somewhere as a fix? Or would you like to just grab the diff file and look at it whether this is good?

          filter_inc_fix.diff.txt

          1 Reply Last reply Reply Quote 0
          • First post
            Last post