Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Set state-policy if-bound or simulate if-bound with route-to rule

    2.1 Snapshot Feedback and Problems - RETIRED
    3
    6
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      ggzengel
      last edited by

      I can't contact (https, ssh) my pfsense over a wan interface which not hold the default gateway.

      The packets come in on em2 and leave on em1 with ip=em2.

      With set state-policy if-bound the problem should be gone. But it seems it makes problems with bridging.
      Could the route-to rule be with "flags S/S"? Make this sense?

      my config:

      
      em1=62.159.188.154
      em2=78.42.74.173
      
      pass out route-to (em1 62.159.188.153) inet from 62.159.188.154 to ! 62.159.188.152/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      pass out route-to (em2 78.42.72.1) inet from 78.42.74.173 to ! 78.42.72.0/22 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      
      

      tcpdump -n -i em2 | grep 95.90.154.95

      
      20:10:54.026626 IP 95.90.154.95.10683 > 78.42.74.173.443: Flags [s], seq 2222488228, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
      20:10:54.027579 IP 95.90.154.95.41430 > 78.42.74.173.443: Flags [s], seq 1310538634, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
      
      tcpdump -n -i em1 | grep 95.90.154.95 | grep 443
      [code]
      20:13:39.238897 IP 78.42.74.173.443 > 95.90.154.95.6192: Flags [S.], seq 1141899119, ack 3308422046, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
      20:13:39.239704 IP 78.42.74.173.443 > 95.90.154.95.22159: Flags [S.], seq 1574710887, ack 1864152005, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
      [/code]
      [/s][/s]
      
      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        if-bound states create all kinds of problems, don't set that.

        The reply-to on WAN rules will handle the reply traffic unless you're adding a rule that overrides the auto-added reply-to, or disabling the reply-to on those rules.

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          For your information there is no possible if-bound state in pfSense.
          It has been removed completely from pf in kernel as it will break all kind of things.

          1 Reply Last reply Reply Quote 0
          • G
            ggzengel
            last edited by

            I don't have reply-to which could match.
            I haven't checked disable reply-to in gui.

            
            scrub on em1 all no-df random-id fragment reassemble
            scrub on em0 all no-df random-id fragment reassemble
            scrub on em2 all no-df random-id fragment reassemble
            scrub on pppoe0 all no-df random-id fragment reassemble
            scrub on em4 all no-df random-id fragment reassemble
            scrub on ovpnc2 all no-df random-id fragment reassemble
            scrub on ovpnc1 all no-df random-id fragment reassemble
            scrub on ovpns3 all no-df random-id fragment reassemble
            scrub on em3 all no-df random-id fragment reassemble
            anchor "relayd/*" all
            anchor "openvpn/*" all
            anchor "ipsec/*" all
            block drop in log quick inet6 all label "Block all IPv6"
            block drop out log quick inet6 all label "Block all IPv6"
            block drop in log inet all label "Default deny rule IPv4"
            block drop out log inet all label "Default deny rule IPv4"
            block drop in log inet6 all label "Default deny rule IPv6"
            block drop out log inet6 all label "Default deny rule IPv6"
            pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
            pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
            pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
            pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
            pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
            pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
            pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
            pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
            pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
            pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
            pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
            pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
            pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
            pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
            pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
            pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
            pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
            pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
            pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
            block drop quick inet proto tcp from any port = 0 to any
            block drop quick inet proto tcp from any to any port = 0
            block drop quick inet proto udp from any port = 0 to any
            block drop quick inet proto udp from any to any port = 0
            block drop quick inet6 proto tcp from any port = 0 to any
            block drop quick inet6 proto tcp from any to any port = 0
            block drop quick inet6 proto udp from any port = 0 to any
            block drop quick inet6 proto udp from any to any port = 0
            block drop quick from <snort2c>to any label "Block snort2c hosts"
            block drop quick from any to <snort2c>label "Block snort2c hosts"
            block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
            block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"
            block drop in quick from <virusprot>to any label "virusprot overload table"
            block drop in on ! em1 inet from 62.159.188.152/29 to any
            block drop in inet from 62.159.188.154 to any
            block drop in on em1 inet6 from fe80::203:2dff:fe1a:d0dc to any
            block drop in log quick on em1 inet from 10.0.0.0/8 to any label "Block private networks from 1_TCC block 10/8"
            block drop in log quick on em1 inet from 127.0.0.0/8 to any label "Block private networks from 1_TCC block 127/8"
            block drop in log quick on em1 inet from 100.64.0.0/10 to any label "Block private networks from 1_TCC block 100.64/10"
            block drop in log quick on em1 inet from 172.16.0.0/12 to any label "Block private networks from 1_TCC block 172.16/12"
            block drop in log quick on em1 inet from 192.168.0.0/16 to any label "Block private networks from 1_TCC block 192.168/16"
            block drop in log quick on em1 inet6 from fc00::/7 to any label "Block ULA networks from 1_TCC block fc00::/7"
            block drop in on ! em0 inet from 10.19.69.0/24 to any
            block drop in inet from 10.19.69.10 to any
            block drop in on ! em2 inet from 78.42.72.0/22 to any
            block drop in inet from 78.42.74.173 to any
            block drop in on em0 inet6 from fe80::203:2dff:fe1a:d0db to any
            block drop in on em2 inet6 from fe80::203:2dff:fe1a:d0dd to any
            pass in on em2 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out 2_CABLE"
            pass out on em2 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out 2_CABLE"
            block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "Block private networks from 3_TDSL block 10/8"
            block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "Block private networks from 3_TDSL block 127/8"
            block drop in log quick on pppoe0 inet from 100.64.0.0/10 to any label "Block private networks from 3_TDSL block 100.64/10"
            block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "Block private networks from 3_TDSL block 172.16/12"
            block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "Block private networks from 3_TDSL block 192.168/16"
            block drop in log quick on pppoe0 inet6 from fc00::/7 to any label "Block ULA networks from 3_TDSL block fc00::/7"
            block drop in on ! ovpnc2 inet from 10.255.255.130 to any
            block drop in inet from 10.255.255.130 to any
            block drop in on ! ovpnc1 inet from 10.255.255.2 to any
            block drop in inet from 10.255.255.2 to any
            block drop in on ! ovpns3 inet from 10.255.255.193 to any
            block drop in inet from 10.255.255.193 to any
            block drop in on ! em4 inet from 192.168.178.0/24 to any
            block drop in inet from 192.168.178.100 to any
            block drop in on ovpnc2 inet6 from fe80::203:2dff:fe1a:d0db to any
            block drop in on ovpnc1 inet6 from fe80::203:2dff:fe1a:d0db to any
            block drop in on ovpns3 inet6 from fe80::203:2dff:fe1a:d0db to any
            block drop in on em4 inet6 from fe80::203:2dff:fe1a:d0df to any
            pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
            pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
            pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
            pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
            pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
            pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
            pass out route-to (em1 62.159.188.153) inet from 62.159.188.154 to ! 62.159.188.152/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
            pass out route-to (em2 78.42.72.1) inet from 78.42.74.173 to ! 78.42.72.0/22 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
            pass out route-to (ovpnc2 10.255.255.129) inet from 10.255.255.130 to ! 10.255.255.130 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
            pass out route-to (ovpnc1 10.255.255.1) inet from 10.255.255.2 to ! 10.255.255.2 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
            pass out route-to (ovpns3 10.255.255.194) inet from 10.255.255.193 to ! 10.255.255.193 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
            pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
            pass in quick on em0 proto tcp from any to (em0) port = https flags S/SA keep state label "anti-lockout rule"
            pass in quick on em0 proto tcp from any to (em0) port = http flags S/SA keep state label "anti-lockout rule"
            pass in quick on em0 proto tcp from any to (em0) port = ssh flags S/SA keep state label "anti-lockout rule"
            anchor "userrules/*" all
            pass in quick on Internet inet proto esp all keep state label "USER_RULE"
            pass in quick on Internet inet proto udp from any to any port = isakmp keep state label "USER_RULE"
            pass in quick on Internet inet proto udp from any to any port = sae-urn keep state label "USER_RULE"
            pass in quick on Internet inet proto icmp all icmp-type echoreq keep state label "USER_RULE"
            pass in quick on Internet inet proto tcp from any to any port = https flags S/SA keep state label "USER_RULE"
            pass in quick on Internet inet proto udp from any to any port 1193 >< 1197 keep state label "USER_RULE: OVPN Server"
            pass in quick on enc0 inet all flags S/SA keep state label "USER_RULE"
            pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE"
            pass in quick on em0 route-to (em1 62.159.188.153) inet from any to <dicomgateway>flags S/SA keep state label "USER_RULE"
            pass in quick on em0 route-to (em2 78.42.72.1) inet from any to ! <notinternet>flags S/SA keep state label "USER_RULE"
            pass in quick on em0 inet all flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
            pass in quick on ovpnc2 reply-to (ovpnc2 10.255.255.129) inet all flags S/SA keep state label "USER_RULE"
            pass in quick on ovpnc1 reply-to (ovpnc1 10.255.255.1) inet all flags S/SA keep state label "USER_RULE"
            anchor "tftp-proxy/*" all
            No queue in use</notinternet></dicomgateway></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> 
            
            1 Reply Last reply Reply Quote 0
            • G
              ggzengel
              last edited by

              One pitfall after the other.
              Rules on interface groups didn't make reply-to rules. Rules should iterate over the interfaces and make one rule after the other.
              That means interface groups are useless. I have to make every stupid rule manually and multiple.
              And every time I add a new WAN I have to do it again.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                reply-to isn't added to interface groups by design. It wouldn't work right. They only work in circumstances where reply-to isn't necessary.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.