Rename WAN to WAN1\. WAN remains on: Firewall | Rules
-
After update 'WAN' still present in WI.
Thanks
-
Are you certain you renamed WAN? And not another interface?
Can you share the contents of the config.xml section for interfaces? (you can remove or mask any IP addresses)
-
This should be what your looking for. Internal IP redacted.
<interfaces><wan><enable><if>fxp1</if> <blockpriv><blockbogons><alias-address><alias-subnet>32</alias-subnet> <spoofmac><ipaddr>dhcp</ipaddr> <dhcphostname><dhcprejectfrom><adv_dhcp_pt_timeout><adv_dhcp_pt_retry><adv_dhcp_pt_select_timeout><adv_dhcp_pt_reboot><adv_dhcp_pt_backoff_cutoff><adv_dhcp_pt_initial_interval><adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values> <adv_dhcp_send_options><adv_dhcp_request_options><adv_dhcp_required_options><adv_dhcp_option_modifiers><adv_dhcp_config_advanced><adv_dhcp_config_file_override><adv_dhcp_config_file_override_path></adv_dhcp_config_file_override_path></adv_dhcp_config_file_override></adv_dhcp_config_advanced></adv_dhcp_option_modifiers></adv_dhcp_required_options></adv_dhcp_request_options></adv_dhcp_send_options></adv_dhcp_pt_initial_interval></adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_reboot></adv_dhcp_pt_select_timeout></adv_dhcp_pt_retry></adv_dhcp_pt_timeout></dhcprejectfrom></dhcphostname></spoofmac></alias-address></blockbogons></blockpriv></enable></wan> <lan><enable><if>em0</if> <spoofmac><ipaddr>192.168.x.254</ipaddr> <subnet>24</subnet></spoofmac></enable></lan> <opt1><if>fxp2</if> <enable><ipaddr>dhcp</ipaddr> <dhcphostname><alias-address><alias-subnet>32</alias-subnet> <dhcprejectfrom><adv_dhcp_pt_timeout><adv_dhcp_pt_retry><adv_dhcp_pt_select_timeout><adv_dhcp_pt_reboot><adv_dhcp_pt_backoff_cutoff><adv_dhcp_pt_initial_interval><adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values> <adv_dhcp_send_options><adv_dhcp_request_options><adv_dhcp_required_options><adv_dhcp_option_modifiers><adv_dhcp_config_advanced><adv_dhcp_config_file_override><adv_dhcp_config_file_override_path><blockpriv><blockbogons><spoofmac></spoofmac></blockbogons></blockpriv></adv_dhcp_config_file_override_path></adv_dhcp_config_file_override></adv_dhcp_config_advanced></adv_dhcp_option_modifiers></adv_dhcp_required_options></adv_dhcp_request_options></adv_dhcp_send_options></adv_dhcp_pt_initial_interval></adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_reboot></adv_dhcp_pt_select_timeout></adv_dhcp_pt_retry></adv_dhcp_pt_timeout></dhcprejectfrom></alias-address></dhcphostname></enable></opt1> <opt2><if>fxp0</if> <spoofmac></spoofmac></opt2></interfaces>
Thanks
-
Guessing you must have an interface group named WAN?
-
@cmb:
Guessing you must have an interface group named WAN?
I just tried that, and you can name an interface group the same as an ordinary interface/description. I made and interface group called WAN and put the WAN interface in it. That makes for confusion!
I added a rule on the "WAN" interface group. It all seems to apply and there is no "error loading rules". But I suspect that PF is not going to sort out the difference between the WAN interface and the WAN interface group when parsing through the rules. Search for "confusion in the generated ruleset below - that is the rule that I added to the WAN interface group.Perhaps there should be validation checks to make sure that every interface and interface group has a unique name?
set optimization normal set limit states 198000 set limit src-nodes 198000 #System aliases loopback = "{ lo0 }" WAN = "{ re1 }" ZLAN = "{ re2 }" WAN = "{ WAN }" #SSH Lockout Table table <sshlockout>persist table <webconfiguratorlockout>persist #Snort tables table <snort2c>table <virusprot>table <bogons>persist file "/etc/bogons" table <bogonsv6>persist file "/etc/bogonsv6" table <negate_networks># User Aliases table <hostalias>{ 1.2.3.4 } HostAlias = "<hostalias>" MyPorts = "{ 4567 8901 }" table <secure_inf_org>{ 64.22.81.44/32 } secure_inf_org = "<secure_inf_org>" table <zzlan>{ 3.4.5.6 } ZZLAN = "<zzlan>" # Gateways GWWAN_DHCP = " route-to ( re1 10.49.208.250 ) " GWWAN_DHCP6 = " route-to ( re1 10.49.208.250 ) " set loginterface re2 set skip on pfsync0 scrub on $WAN all fragment reassemble scrub on $ZLAN all fragment reassemble no nat proto carp no rdr proto carp nat-anchor "natearly/*" nat-anchor "natrules/*" binat on re1 from 4.5.6.7 to any -> 9.8.7.6 binat on re1 from 4.42.22.1 to any -> 6.7.8.9 binat on re1 from 192.168.1.2 to any -> 1.2.3.5 binat on re1 from 192.168.1.3 to any -> 5.6.7.8 binat on re1 from 6.6.5.5 to any -> 8.8.7.7 binat on $WAN from 3:5::/64 to any -> 6:a::/64 binat on $WAN from any to 6:a::/64 -> 3:5::/64 binat on $WAN from 3:5::/64 to any -> 6:8::/64 binat on $WAN from any to 6:8::/64 -> 3:5::/64 binat on $WAN from 3:5::/64 to any -> 6:a::/64 binat on $WAN from any to 6:a::/64 -> 3:5::/64 binat on $WAN from 6:2::/64 to any -> 1:3::/64 binat on $WAN from any to 1:3::/64 -> 6:2::/64 # Outbound NAT rules (manual) nat on $WAN from 192.168.42.0/24 to any -> 10.49.209.3/32 port 1024:65535 nat on $WAN from 10.11.14.0/24 to any -> 10.49.209.3/32 port 1024:65535 nat on $WAN from 10.11.12.0/24 to any -> 10.49.209.3/32 port 1024:65535 nat on $WAN from 10.11.13.0/24 to any -> 10.49.209.3/32 port 1024:65535 nat on $WAN from 10.11.3.0/24 to any -> 10.49.209.3/32 port 1024:65535 # Outbound NAT rules (automatic) # Subnets to NAT tonatsubnets = "{ 127.0.0.0/8 192.168.1.0/24 }" nat on $WAN from $tonatsubnets to any port 500 -> 10.49.209.3/32 static-port nat on $WAN from $tonatsubnets to any -> 10.49.209.3/32 port 1024:65535 # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" # NAT Inbound Redirects rdr on re1 proto tcp from any to 10.49.209.3 port 53 -> 192.168.1.13 rdr on re1 proto tcp from any to 10.49.209.3 port $MyPorts -> 192.168.1.12 # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" anchor "openvpn/*" anchor "ipsec/*" # block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device, # and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but # route-to can override that, causing problems such as in redmine #2073 block in log quick from 169.254.0.0/16 to any tracker 1000000101 label "Block IPv4 link-local" block in log quick from any to 169.254.0.0/16 tracker 1000000102 label "Block IPv4 link-local" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log inet all tracker 1000000103 label "Default deny rule IPv4" block out log inet all tracker 1000000104 label "Default deny rule IPv4" block in log inet6 all tracker 1000000105 label "Default deny rule IPv6" block out log inet6 all tracker 1000000106 label "Default deny rule IPv6" # IPv6 ICMP is not auxilary, it is required for operation # See man icmp6(4) # 1 unreach Destination unreachable # 2 toobig Packet too big # 128 echoreq Echo service request # 129 echorep Echo service reply # 133 routersol Router solicitation # 134 routeradv Router advertisement # 135 neighbrsol Neighbor solicitation # 136 neighbradv Neighbor advertisement pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker 1000000107 keep state # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker 1000000108 keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker 1000000109 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000110 keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000111 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000000112 keep state # We use the mighty pf, we cannot be fooled. block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000113 label "Block traffic from port 0" block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000114 label "Block traffic to port 0" block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000115 label "Block traffic from port 0" block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000116 label "Block traffic to port 0" # Snort package block log quick from <snort2c>to any tracker 1000000117 label "Block snort2c hosts" block log quick from any to <snort2c>tracker 1000000118 label "Block snort2c hosts" # SSH lockout block in log quick proto tcp from <sshlockout>to (self) port 22 tracker 1000000301 label "sshlockout" # webConfigurator lockout block in log quick proto tcp from <webconfiguratorlockout>to (self) port 443 tracker 1000000351 label "webConfiguratorlockout" block in log quick from <virusprot>to any tracker 1000000400 label "virusprot overload table" # allow our DHCPv6 client out to the WAN pass in quick on $WAN proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker 1000000561 label "allow dhcpv6 client in WAN" pass in quick on $WAN proto udp from any port = 547 to any port = 546 tracker 1000000562 label "allow dhcpv6 client in WAN" pass out quick on $WAN proto udp from any port = 546 to any port = 547 tracker 1000000563 label "allow dhcpv6 client out WAN" # block bogon networks (IPv4) # http://www.cymru.com/Documents/bogon-bn-nonagg.txt block in log quick on $WAN from <bogons>to any tracker 1000001561 label "block bogon IPv4 networks from WAN" # block bogon networks (IPv6) # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt block in log quick on $WAN from <bogonsv6>to any tracker 1000001562 label "block bogon IPv6 networks from WAN" antispoof log for $WAN tracker 1000001570 # block anything from private networks on interfaces with the option set block in log quick on $WAN from 10.0.0.0/8 to any tracker 1000001581 label "Block private networks from WAN block 10/8" block in log quick on $WAN from 127.0.0.0/8 to any tracker 1000001582 label "Block private networks from WAN block 127/8" block in log quick on $WAN from 172.16.0.0/12 to any tracker 1000001583 label "Block private networks from WAN block 172.16/12" block in log quick on $WAN from 192.168.0.0/16 to any tracker 1000001584 label "Block private networks from WAN block 192.168/16" block in log quick on $WAN from fc00::/7 to any tracker 1000001585 label "Block ULA networks from WAN block fc00::/7" # allow our DHCP client out to the WAN pass in on $WAN proto udp from any port = 67 to any port = 68 tracker 1000001591 label "allow dhcp client out WAN" pass out on $WAN proto udp from any port = 68 to any port = 67 tracker 1000001592 label "allow dhcp client out WAN" # Not installing DHCP server firewall rules for WAN which is configured for DHCP. antispoof log for $ZLAN tracker 1000002620 # allow access to DHCP server on ZLAN pass in quick on $ZLAN proto udp from any port = 68 to 255.255.255.255 port = 67 tracker 1000002641 label "allow access to DHCP server" pass in quick on $ZLAN proto udp from any port = 68 to 192.168.1.1 port = 67 tracker 1000002642 label "allow access to DHCP server" pass out quick on $ZLAN proto udp from 192.168.1.1 port = 67 to any port = 68 tracker 1000002643 label "allow access to DHCP server" # loopback pass in on $loopback inet all tracker 1000003711 label "pass IPv4 loopback" pass out on $loopback inet all tracker 1000003712 label "pass IPv4 loopback" pass in on $loopback inet6 all tracker 1000003713 label "pass IPv6 loopback" pass out on $loopback inet6 all tracker 1000003714 label "pass IPv6 loopback" # let out anything from the firewall host itself and decrypted IPsec traffic pass out inet all keep state allow-opts tracker 1000003715 label "let out anything IPv4 from firewall host itself" pass out inet6 all keep state allow-opts tracker 1000003716 label "let out anything IPv6 from firewall host itself" pass out route-to ( re1 10.49.208.250 ) from 10.49.209.3 to !10.49.208.0/22 tracker 1000003811 keep state allow-opts label "let out anything from firewall host itself" # make sure the user cannot lock himself out of the webConfigurator or SSH pass in quick on re2 proto tcp from any to (re2) port { 443 80 22 } tracker 1000004121 keep state label "anti-lockout rule" # User-defined rules follow anchor "userrules/*" pass in quick on $WAN inet proto tcp from any to any tracker 1453444427 flags S/SA keep state label "USER_RULE: Rule on WAN interface group confusion" pass in quick on $WAN reply-to ( re1 10.49.208.250 ) proto tcp from any to 192.168.1.13 port 53 flags S/SA keep state label "USER_RULE: NAT A DNS port forward" pass in quick on $WAN reply-to ( re1 10.49.208.250 ) inet proto tcp from any to any tracker 1453201096 flags S/SA keep state schedule "569e16abaa2af" label "USER_RULE: Afternoon rule" block in quick on $WAN reply-to ( re1 10.49.208.250 ) inet proto tcp from any to any tracker 1453201333 flags S/SA schedule "569e16abaa2af" label "USER_RULE: Afternoon block" pass in quick on $ZLAN inet from 192.168.1.0/24 to any tracker 0100000101 keep state label "USER_RULE: Default allow LAN to any rule" # at the break! label "USER_RULE: Default allow LAN IPv6 to any rule" # schedule finished - Late night pass rule label "USER_RULE: Late night pass rule" # schedule finished - Late night block label "USER_RULE: Late night block" pass in quick on $ZLAN inet proto tcp from $ZZLAN to $ZZLAN tracker 1453202141 flags S/SA keep state label "USER_RULE: Rule with alias" pass in quick on $ZLAN inet proto icmp from any to any icmp-type echoreq tracker 1453202455 keep state label "USER_RULE: Pass echo request" pass in quick on $ZLAN inet proto tcp from 1.2.3.4 to any tracker 1453214541 flags S/SA keep state label "USER_RULE: Stuff" # VPN Rules anchor "tftp-proxy/*"</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></zzlan></zzlan></secure_inf_org></secure_inf_org></hostalias></hostalias></negate_networks></bogonsv6></bogons></virusprot></snort2c></webconfiguratorlockout></sshlockout>
-
Yeah there should be input validation preventing interfaces from having the same name as any interface group, and groups from having the same name as any interface.
-
@cmb:
Yeah there should be input validation preventing interfaces from having the same name as any interface group, and groups from having the same name as any interface.
I created issue https://redmine.pfsense.org/issues/5795
-
I owe CMB a bear. Yes I did create an interface group called WAN, and I forgot :-[.
In general I try to put a prefix on any alias, but was prevented from doing so. I would have liked to have named it something like IG_WAN. The WI through an error for illegal character for non alpha entries. I use this naming convention on all such items when allowed.
Could/should the WI prefix all aliases with a designated 2-3 characters appropriate for entry delimited by an underscore.
Help with parsing.
Help with admin confusion.
Help locate in WI.Good catch and thanks for the help. I'm glad that some good will come from my error.
–Seth -
Thanks for the ticket Phil, and Renato for fixing.
I owe CMB a bear.
Wow, you can keep the bear. Thought I was being helpful, not inviting a deadly animal upon myself. ;D
-
I'd like to say English is my second language, but alas I can not. I can say that I'm atrocious speller. So here is your beer. [%]>
-