Static route filtering with IP Aliases



  • Hi there,

    I think we found a bug regarding the rules generated by "Static route filtering".

    There are only rules generated by this "check box" for the primary ip networks of the interfaces.
    E.g. I have 192.168.1.1/24 on LAN and 192.168.2.1/24 as IP Alias on LAN, too.
    There are static routes 10.0.0.0/24 => 192.168.1.2 and 10.0.1.0/24 => 192.168.1.2.

    Generated rules are only:
    pass  quick on $LAN proto tcp from 192.168.1.0/24 to 10.0.0.0/24 flags any tracker 1000003191 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass  quick on $LAN from 192.168.1.0/24 to 10.0.0.0/24 tracker 1000003192 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass  quick on $LAN proto tcp from 10.0.0.0/24 to 192.168.1.0/24 flags any tracker 1000003193 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass  quick on $LAN from 10.0.0.0/24 to 192.168.1.0/24 tracker 1000003194 keep state(sloppy) label "pass traffic between statically routed subnets"

    pass  quick on $LAN proto tcp from 192.168.1.0/24 to 10.0.1.0/24 flags any tracker 1000003195 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass  quick on $LAN from 192.168.1.0/24 to 10.0.1.0/24 tracker 1000003196 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass  quick on $LAN proto tcp from 10.0.1.0/24 to 192.168.1.0/24 flags any tracker 1000003197 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass  quick on $LAN from 10.0.1.0/24 to 192.168.1.0/24 tracker 1000003198 keep state(sloppy) label "pass traffic between statically routed subnets"

    Missing
    192.168.2.0/24 <=> 10.0.0.0/24
    192.168.2.0/24 <=> 10.0.1.0/24

    it might be reasonable to generate rules even for
    192.168.1.0/24 <=> 192.168.2.0/24

    This is a problem in an asymmetric routing scenario. I know, asymmetric routing against a firewall is always a dirty setup, but it is a cool feature of pfSense that there is this checkbox to get around these problems.

    PS: Using 2.2.4….

    BR and thanks for this great piece of software!
    Torsten