Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Static route filtering with IP Aliases

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 489 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vielhak
      last edited by

      Hi there,

      I think we found a bug regarding the rules generated by "Static route filtering".

      There are only rules generated by this "check box" for the primary ip networks of the interfaces.
      E.g. I have 192.168.1.1/24 on LAN and 192.168.2.1/24 as IP Alias on LAN, too.
      There are static routes 10.0.0.0/24 => 192.168.1.2 and 10.0.1.0/24 => 192.168.1.2.

      Generated rules are only:
      pass  quick on $LAN proto tcp from 192.168.1.0/24 to 10.0.0.0/24 flags any tracker 1000003191 keep state(sloppy) label "pass traffic between statically routed subnets"
      pass  quick on $LAN from 192.168.1.0/24 to 10.0.0.0/24 tracker 1000003192 keep state(sloppy) label "pass traffic between statically routed subnets"
      pass  quick on $LAN proto tcp from 10.0.0.0/24 to 192.168.1.0/24 flags any tracker 1000003193 keep state(sloppy) label "pass traffic between statically routed subnets"
      pass  quick on $LAN from 10.0.0.0/24 to 192.168.1.0/24 tracker 1000003194 keep state(sloppy) label "pass traffic between statically routed subnets"

      pass  quick on $LAN proto tcp from 192.168.1.0/24 to 10.0.1.0/24 flags any tracker 1000003195 keep state(sloppy) label "pass traffic between statically routed subnets"
      pass  quick on $LAN from 192.168.1.0/24 to 10.0.1.0/24 tracker 1000003196 keep state(sloppy) label "pass traffic between statically routed subnets"
      pass  quick on $LAN proto tcp from 10.0.1.0/24 to 192.168.1.0/24 flags any tracker 1000003197 keep state(sloppy) label "pass traffic between statically routed subnets"
      pass  quick on $LAN from 10.0.1.0/24 to 192.168.1.0/24 tracker 1000003198 keep state(sloppy) label "pass traffic between statically routed subnets"

      Missing
      192.168.2.0/24 <=> 10.0.0.0/24
      192.168.2.0/24 <=> 10.0.1.0/24

      it might be reasonable to generate rules even for
      192.168.1.0/24 <=> 192.168.2.0/24

      This is a problem in an asymmetric routing scenario. I know, asymmetric routing against a firewall is always a dirty setup, but it is a cool feature of pfSense that there is this checkbox to get around these problems.

      PS: Using 2.2.4….

      BR and thanks for this great piece of software!
      Torsten

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.