Project

General

Profile

Actions

Correction #12535

open

Negate Rules function does not match the description

Added by Steve Wheeler about 1 year ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Firewall Rules
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Originally the automatic Negate Network rules were intended to negate policy routing for locally connected subnets and VPN connected subnets.

Some time ago that appears to have changed to only VPN connected subnets. Probably here:
https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/b4227df690fb7a989ead9b3928ebaaaa34b495eb/diff/etc/inc/filter.inc

However the description of that function in the docs refers to both.
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#config-disablenegaterules

In a Multi-WAN configuration traffic for directly connected networks and VPN networks typically must still flow properly when using policy routing. The firewall will insert rules to pass this local and VPN traffic without a gateway specified, to maintain connectivity.

https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html

Rules are added automatically to negate policy routing for traffic destined to remote VPN subnets, but they do not always have the intended effect.

The actual intended function of those rules needs clarification and the docs updated to match that.

Actions #1

Updated by Jim Pingle 10 months ago

  • Related to Todo #13058: Add static routes and directly connected networks back to policy route negation rules added
Actions #2

Updated by Jim Pingle 7 months ago

  • Tracker changed from Documentation to Correction
  • Project changed from pfSense to pfSense Docs
  • Category changed from Routing to Firewall Rules
  • Target version deleted (CE-Next)
  • Plus Target Version deleted (Plus-Next)
  • Affected Version deleted (All)
Actions

Also available in: Atom PDF