Project

General

Profile

Actions

Documentation #12535

open

Negate Rules function does not match the description

Added by Steve Wheeler 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Routing
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Plus-Next
Affected Version:
All

Description

Originally the automatic Negate Network rules were intended to negate policy routing for locally connected subnets and VPN connected subnets.

Some time ago that appears to have changed to only VPN connected subnets. Probably here:
https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/b4227df690fb7a989ead9b3928ebaaaa34b495eb/diff/etc/inc/filter.inc

However the description of that function in the docs refers to both.
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#config-disablenegaterules

In a Multi-WAN configuration traffic for directly connected networks and VPN networks typically must still flow properly when using policy routing. The firewall will insert rules to pass this local and VPN traffic without a gateway specified, to maintain connectivity.

https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html

Rules are added automatically to negate policy routing for traffic destined to remote VPN subnets, but they do not always have the intended effect.

The actual intended function of those rules needs clarification and the docs updated to match that.

No data to display

Actions

Also available in: Atom PDF