All trafic with changed gateway



  • I'm using pfsense now for a few days.
    I've a multiple wan interfaces en lan interfaces.

    I've made a group WanGroep with the 2 wan interfaces. There is a firewall rule that allows NTP traffic from wlan to * with the gateway wangroep instead of the default gateway.
    As soon as I change the gateway to wangroep instead of default all tcp trafic is allowed from wlan to anywhere on any port instead of the allowed port.




  • When I add a rule like that, on a 2.1-RC1 system, /tmp/rules.debug gets this added:

    pass  in  quick  on $LAN1 inet proto tcp  from any  to <negate_networks> flags S/SA keep state  label "NEGATE_ROUTE: Negate policy routing for destination"
    pass  in  quick  on $LAN1  $GWNTPGWG inet proto tcp  from any to any port 123 flags S/SA keep state  label "USER_RULE: Test NTP"</negate_networks>
    

    <negate_networks>is a list of networks I have defined in OpenVPN. I guess the code tries to protect those OpenVPN-defined networks (whose routes are already "fixed" on OpenVPN connections) from being re-routed by a policy-based rule into a gateway group that may not go somewhere successful.
    The problem I see is that the first rule does not specify "port 123" - so it opens up access for all ports from $LAN1 to <negate_networks>(the OpenVPN-reachable stuff).
    Seems like a bug, that first rule should have a "port" spec in it the same as the 2nd rule?

    Edit: I added an issue in RedMine: http://redmine.pfsense.org/issues/3173</negate_networks></negate_networks>



  • Thank you, good to hear that it is a bug. I was already getting crazy.



  • This should be fixed on latest snapshots.



  • The changes to filter.inc did not make:
    2.1-RC1 (i386)
    built on Tue Sep 3 14:08:44 EDT 2013

    They will appear in the snapshot after the above.
    I copied the new /etc/inc/filter.inc manually, and it is working. Sample test rule output from /tmp/rules.debug :

    pass  in  quick  on $LAN inet proto tcp  from 10.49.80.99  to <negate_networks>  port 123 flags S/SA keep state  label "NEGATE_ROUTE: Negate policy routing for destination"
    pass  in  quick  on $LAN  $GWWiMax_Priority inet proto tcp  from 10.49.80.99 to any port 123 flags S/SA keep state  label "USER_RULE: Testing only zzzz"</negate_networks>
    

Log in to reply