Project

General

Profile

Actions
Copy link

Bug #10726

open

Sticky-connections option is bugged - sticky-address cannot be redefined

Added by Fritz Lakritz almost 4 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
07/04/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:

Description

As already described in https://forum.netgate.com/topic/154821/strange-firewall-rules-behaviour-with-sticky-connections, sticky connections are bugged.

The setup is:
PfSense 2.4.5_p1, a WAN-PPPoE Gateway, a Gateway-Group with 3 OpenVPN-Gateways and all of them as Tier 1 (Load-Balancing). If sticky connections will be enabled and the Gateways are connected, i get errors "There were error(s) loading the rules: /tmp/rules.debug:928: sticky-address cannot be redefined" with ICMP rules.

```
There were error(s) loading the rules: /tmp/rules.debug:928: sticky-address cannot be redefined - The line in question reads [928]: pass in quick on $VLAN_GUEST $GWVPN_Gateway inet proto icmp from $network_guest_vpn to any icmp-type { echorep,echoreq,paramprob,squench,timex,unreach } tag "vpntraffic" tracker 1568891569 keep state label "USER_RULE: Allow defined ICMP"
@ 2020-06-26 12:28:12
```

This is the rule:
```
<rule>
<id></id>
<tracker>1568891569</tracker>
<type>pass</type>
<interface>opt2</interface>
<ipprotocol>inet</ipprotocol>
<tag>vpntraffic</tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<protocol>icmp</protocol>
<icmptype>echorep,echoreq,paramprob,squench,timex,unreach</icmptype>
<source>
<address>network_guest_vpn</address>
</source>
<destination>
<any></any>
</destination>
<descr><![CDATA[Allow defined ICMP]]></descr>
<gateway>VPN_Gateway</gateway>
<created>
<time>1568891569</time>
<username><![CDATA[ (Local Database)]]></username>
</created>
<updated>
<time>1579638983</time>
<username><![CDATA[ (Local Database)]]></username>
</updated>
```

The firewall-rule should be okay, it works without sticky connection really good. Then is just tried to delete my rule to see what happens, i have nearly the same rule for another interface too. As soon as i deleted it, the next rule shows an error..

```
There were error(s) loading the rules: /tmp/rules.debug:1015: sticky-address cannot be redefined - The line in question reads [1015]: pass in quick on $VLAN_PRIVATE $GWVPN_Gateway inet proto icmp from $network_private_vpn to any icmp-type { echorep,echoreq,paramprob,squench,timex,unreach } tag "vpntraffic" tracker 1579638453 keep state label "USER_RULE: Allow defined ICMP"
@ 2020-06-26 12:38:37
```

This is the rule:
```
<rule>
<id></id>
<tracker>1579017667</tracker>
<type>pass</type>
<interface>opt3</interface>
<ipprotocol>inet</ipprotocol>
<tag>nonvpntraffic</tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<protocol>icmp</protocol>
<icmptype>echorep,echoreq,paramprob,squench,timex,unreach</icmptype>
<source>
<address>network_private</address>
</source>
<destination>
<any></any>
</destination>
<descr><![CDATA[Allow defined ICMP]]></descr>
<gateway>WAN_PPPOE</gateway>
<created>
<time>1579017667</time>
<username><![CDATA[ (Local Database)]]></username>
</created>
<updated>
<time>1579638306</time>
<username><![CDATA[ (Local Database)]]></username>
</updated>
```

Actions
Copy link

Also available in: Atom PDF