4. Static route filtering with IP Aliases

Static route filtering with IP Aliases

  • V

    Hi there,

    I think we found a bug regarding the rules generated by "Static route filtering".

    There are only rules generated by this "check box" for the primary ip networks of the interfaces.
    E.g. I have 192.168.1.1/24 on LAN and 192.168.2.1/24 as IP Alias on LAN, too.
    There are static routes 10.0.0.0/24 => 192.168.1.2 and 10.0.1.0/24 => 192.168.1.2.

    Generated rules are only:
    pass  quick on $LAN proto tcp from 192.168.1.0/24 to 10.0.0.0/24 flags any tracker 1000003191 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass  quick on $LAN from 192.168.1.0/24 to 10.0.0.0/24 tracker 1000003192 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass  quick on $LAN proto tcp from 10.0.0.0/24 to 192.168.1.0/24 flags any tracker 1000003193 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass  quick on $LAN from 10.0.0.0/24 to 192.168.1.0/24 tracker 1000003194 keep state(sloppy) label "pass traffic between statically routed subnets"

    pass  quick on $LAN proto tcp from 192.168.1.0/24 to 10.0.1.0/24 flags any tracker 1000003195 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass  quick on $LAN from 192.168.1.0/24 to 10.0.1.0/24 tracker 1000003196 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass  quick on $LAN proto tcp from 10.0.1.0/24 to 192.168.1.0/24 flags any tracker 1000003197 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass  quick on $LAN from 10.0.1.0/24 to 192.168.1.0/24 tracker 1000003198 keep state(sloppy) label "pass traffic between statically routed subnets"

    Missing
    192.168.2.0/24 <=> 10.0.0.0/24
    192.168.2.0/24 <=> 10.0.1.0/24

    it might be reasonable to generate rules even for
    192.168.1.0/24 <=> 192.168.2.0/24

    This is a problem in an asymmetric routing scenario. I know, asymmetric routing against a firewall is always a dirty setup, but it is a cool feature of pfSense that there is this checkbox to get around these problems.

    PS: Using 2.2.4….

    BR and thanks for this great piece of software!
    Torsten

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy