Policy Routing Firewall Rule



  • 2.1, RC1 - Aug 30.

    I have had a policy routing rule at the bottom of the LAN interface, which is basically "Pass * * * * Gateway_Failover".  Previously (in 2.0.3), it was my understanding that this rule also allowed ALL traffic from the LAN to other interfaces (I have a WLAN, DMZ, etc.) unless explicitly stated with a preceding block rule.

    In 2.1, this is no longer the case (so had to create a rule to my SMTP server in the DMZ).  Has Policy Routing changed, and is there a hole in my firewall logic?

    Thanks.



  • I am assuming that the entity "Gateway_Failover" in your configuration is a gateway group and that you have two internet connections with gateway from each of those connection as members of that gateway group.

    If that assumption is correct then your rule says that any traffic on your LAN interface coming from src *, src port *, going to dest *, dest port *, and traversing through the gateway group "Gateway_Failover" is allowed.

    Your DMZ destined traffic does not match that rule because that traffic does not traverse through any members of the gateway group. When you explicitly specify a gateway for a rule, your firewall's routing table is ignored.

    Read through the Policy Route Negation section of this doc: http://doc.pfsense.org/index.php/Multi-WAN_2.0



  • @ssheikh:

    Your DMZ destined traffic does not match that rule because that traffic does not traverse through any members of the gateway group. When you explicitly specify a gateway for a rule, your firewall's routing table is ignored.

    Learned something new today.  Thanks for the reply!