Project

General

Profile

Actions
Copy link

Feature #10446

open

VIP address is not shown in firewall rules

Added by Silmor Senedlen about 4 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Very Low
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
04/09/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Good day
I noticed that VIP address(Type: IP Alias) is not shown in Source/Destination drop-down menu in Firewall rules.
At the same time it is displayed in NAT >> Port Forward rules in Source/Destination drop-down menu.

Example in attached screenshots.

2.4.5-RELEASE (amd64)

Files

Download all files
pfSense_PortForward_Rules.png (66.4 KB) pfSense_PortForward_Rules.png Silmor Senedlen, 04/09/2020 09:36 AM
pfSense_Firewall_Rules.png (65.5 KB) pfSense_Firewall_Rules.png Silmor Senedlen, 04/09/2020 09:36 AM
Actions
Copy link
 #1

Updated by Jim Pingle about 4 years ago

  • Tracker changed from Bug to Feature
  • Category changed from Virtual IP Addresses to Rules / NAT
  • Priority changed from Normal to Very Low
  • Affected Version deleted (2.4.5)

It's not a bug, but perhaps a feature request.

It's generally not necessary on firewall rules because they don't have the same requirements that need to be met by NAT rules. Firewall rules can match anything, whereas NAT rules require VIPs (in most cases) when not used with interface addresses.

Plus, if you're using NAT on a VIP, you wouldn't use the VIP address in a firewall rule anyhow.

Actions
Copy link
 #2

Updated by Silmor Senedlen about 4 years ago

Jim Pingle wrote:

It's not a bug, but perhaps a feature request.

OK, let it be a feature request.
I think it would be nice to be able to select VIP address from list(which automatically update it's value when it will be changed in Firewall >> Virtual IPs section) instead of specifying static value.

Actions
Copy link
 #3

Updated by Corey Boyle over 3 years ago

Would be nice for controlling access to local services like HAProxy.

Actions
Copy link
 #4

Updated by Silmor Senedlen almost 2 years ago

Silmor Senedlen wrote in #note-2:

I think it would be nice to be able to select VIP address from list(which automatically update it's value when it will be changed in Firewall >> Virtual IPs section) instead of specifying static value.

Is there any hope that this will be implemented?

Actions
Copy link
 #5

Updated by Marcos M almost 2 years ago

Silmor Senedlen wrote in #note-4:

Silmor Senedlen wrote in #note-2:

I think it would be nice to be able to select VIP address from list(which automatically update it's value when it will be changed in Firewall >> Virtual IPs section) instead of specifying static value.

Is there any hope that this will be implemented?

Better to stick with using aliases. VIPs are more for service bindings.

Actions
Copy link
 #6

Updated by Silmor Senedlen almost 2 years ago

Marcos Mendoza wrote in #note-5:

Better to stick with using aliases. VIPs are more for service bindings.

This will require maintaining and making changes to 2 entities at once instead of one.
Considering that in both sections(NAT & Rules) there is an opportunity to select an entity with an interface address, I believe that it would be just as logical to make VIP available for selection in both sections(NAT & Rules).

Is the reason а principled position or is it due to the fact that such a implementation will require a lot of code changes?

Actions
Copy link

Also available in: Atom PDF