Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Policy Filtering with pfSense

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      RogerKint
      last edited by

      Hi,

      migrating from iptables to pfSense, there is one feature I was using heavily in iptables I did not succeed to reproduce in pfSense accordingly.

      Almost every rule in my current iptables rules includes the source and target interface as a parameter. Say I allow traffic from subnet A to subnet B, the corresponding rule contains source interface, source ip, target interface, target ip, target port number.

      Especially when there is a rule that allows traffic from internal net to WAN, it is difficult to do this in pfSense. I would need an alias for all internal networks, and then I would say allow traffic from source interface eg LAN to destination IP range = NOT internal networks.
      It would be much better to neglect target ip addresses but use the outgoing interface as a characteristic.

      So I googled around and found Policy Filtering a smart way to do this with pf. See http://www.openbsd.org/faq/pf/tagging.html#policy what I am talking about.

      But, my attempts with floating rules to follow this approach failed for unknown reasons. Here is what I tried (floating rules in order):

      • allow traffic from source interface, tag it with a key word (pf01.jpg, pf02.jpg)
      • reject traffic on outgoing interface (pf03.jpg)
      • allow traffic on outgoing interface when tagged with key word (pf04.jpg, pf05.jpg)

      Surprisingly, some packets seem to get duplicated with this setup:

      
[2.2.5-RELEASE][root@pfSense.localdomain]/etc: tcpdump -n -i vmx0 host 88.y.y.y
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmx0, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
21:05:29.072204 IP 78.x.x.x.56915 > 88.y.y.y.80: Flags [s], seq 1678273888, win 29200, options [mss 1460,sackOK,TS val 20926454 ecr 0,nop,wscale 7], length 0
21:05:29.073421 IP 88.y.y.y.80 > 78.x.x.x.56915: Flags [S.], seq 769046118, ack 1678273889, win 28960, options [mss 1460,sackOK,TS val 2205119973 ecr 20926454,nop,wscale 7], length 0
21:05:29.073438 IP 88.y.y.y.80 > 192.168.128.65.42187: Flags [S.], seq 769046118, ack 1678273889, win 28960, options [mss 1460,sackOK,TS val 2205119973 ecr 20926454,nop,wscale 7], length 0

Without floating rules the "standard" pfSense way with a rule based on source interface it works:
[code]
[2.2.5-RELEASE][root@pfSense.localdomain]/etc: tcpdump -n -i vmx0 host 88.y.y.y
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmx0, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
21:09:21.639570 IP 78.x.x.x.64684 > 88.y.y.y.80: Flags [s], seq 473341721, win 29200, options [mss 1460,sackOK,TS val 20984596 ecr 0,nop,wscale 7], length 0
21:09:21.644954 IP 88.y.y.y.80 > 78.x.x.x.64684: Flags [S.], seq 122798218, ack 473341722, win 28960, options [mss 1460,sackOK,TS val 2205178115 ecr 20984596,nop,wscale 7], length 0
21:09:21.645166 IP 78.x.x.x.64684 > 88.y.y.y.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 20984597 ecr 2205178115], length 0
21:09:21.959635 IP 88.y.y.y.80 > 78.x.x.x.64684: Flags [P.], seq 1:40, ack 1, win 227, options [nop,nop,TS val 2205178194 ecr 20984597], length 39
21:09:21.960044 IP 78.x.x.x.64684 > 88.y.y.y.80: Flags [.], ack 40, win 229, options [nop,nop,TS val 20984676 ecr 2205178194], length 0

So my questions are, why are packets duplicated with m floating rules? How do I implement the pf policy filtering approach with pfSense?

Thanks for suggestions.

Forgot to mention: the approach above with tags works as long as there is no NAT involved. Seems somehow NAT is incompatible with my setup
![pf01.jpg](/public/_imported_attachments_/1/pf01.jpg)
![pf01.jpg_thumb](/public/_imported_attachments_/1/pf01.jpg_thumb)
![pf02.jpg](/public/_imported_attachments_/1/pf02.jpg)
![pf02.jpg_thumb](/public/_imported_attachments_/1/pf02.jpg_thumb)
![pf03.jpg](/public/_imported_attachments_/1/pf03.jpg)
![pf03.jpg_thumb](/public/_imported_attachments_/1/pf03.jpg_thumb)
![pf04.jpg](/public/_imported_attachments_/1/pf04.jpg)
![pf04.jpg_thumb](/public/_imported_attachments_/1/pf04.jpg_thumb)
![pf05.jpg](/public/_imported_attachments_/1/pf05.jpg)
![pf05.jpg_thumb](/public/_imported_attachments_/1/pf05.jpg_thumb)[/s][/code][/s]
      1 Reply Last reply Reply Quote 0
      • kesawiK Offline
        kesawi
        last edited by

        I dont think you need floating rules or packet marking to achieve what you want for the WAN rules. For your rules allowing access to the WAN on each interface you can specify the WAN gateway in the advanced options of the rules.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.