All trafic with changed gateway
I'm using pfsense now for a few days.
I've a multiple wan interfaces en lan interfaces.
I've made a group WanGroep with the 2 wan interfaces. There is a firewall rule that allows NTP traffic from wlan to * with the gateway wangroep instead of the default gateway.
As soon as I change the gateway to wangroep instead of default all tcp trafic is allowed from wlan to anywhere on any port instead of the allowed port.
When I add a rule like that, on a 2.1-RC1 system, /tmp/rules.debug gets this added:
pass in quick on $LAN1 inet proto tcp from any to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination" pass in quick on $LAN1 $GWNTPGWG inet proto tcp from any to any port 123 flags S/SA keep state label "USER_RULE: Test NTP"</negate_networks>
<negate_networks>is a list of networks I have defined in OpenVPN. I guess the code tries to protect those OpenVPN-defined networks (whose routes are already "fixed" on OpenVPN connections) from being re-routed by a policy-based rule into a gateway group that may not go somewhere successful.
The problem I see is that the first rule does not specify "port 123" - so it opens up access for all ports from $LAN1 to <negate_networks>(the OpenVPN-reachable stuff).
Seems like a bug, that first rule should have a "port" spec in it the same as the 2nd rule?
Edit: I added an issue in RedMine: http://redmine.pfsense.org/issues/3173</negate_networks></negate_networks>
Thank you, good to hear that it is a bug. I was already getting crazy.
This should be fixed on latest snapshots.
The changes to filter.inc did not make:
built on Tue Sep 3 14:08:44 EDT 2013
They will appear in the snapshot after the above.
I copied the new /etc/inc/filter.inc manually, and it is working. Sample test rule output from /tmp/rules.debug :
pass in quick on $LAN inet proto tcp from 10.49.80.99 to <negate_networks> port 123 flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination" pass in quick on $LAN $GWWiMax_Priority inet proto tcp from 10.49.80.99 to any port 123 flags S/SA keep state label "USER_RULE: Testing only zzzz"</negate_networks>