Project

General

Profile

Actions

Bug #13045

open

Firewall floating rules ignore WireGuard traffic

Added by Adam Goldberg almost 2 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
WireGuard
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

When adding a floating rule to apply a limiter targeting traffic on a WireGuard interface, the rule is ignored.

Add a new rule:

Action: pass
Interface: WG0
Direction: out
Gateway: WG0_GW
In/Out Pipe: WGDownQ / WGUpQ

Counters show 0 / 0 for states and traffic regardless of rule order, direction, or gateway specified.

Additionally, if a rule is added on a WAN interface targeting the IP of a remote wireguard peer, the rule is ignored only when a WireGuard peer is active for that same IP.

Action: pass
Interface: WAN
Direction: out
Source (or Destination): address x.x.x.x
Gateway: WAN_GW
In/Out Pipe: WANDownQ / WANUpQ

Counters show 0 / 0 for states and traffic regardless of rule order, direction, or gateway specified.


Files

clipboard-202210041103-kkxlg.png (91.5 KB) clipboard-202210041103-kkxlg.png → luckman212, 10/04/2022 10:03 AM
Actions #1

Updated by → luckman212 over 1 year ago

Any further updates here?

Actions #2

Updated by → luckman212 over 1 year ago

Christian McDonald can you comment on whether rules (specifically block rules) are working for assigned Wireguard interfaces, or Floating Rules? I'm having a heck of a time with trying to lock one of my site-to-site tunnels to a specific WAN: Block Wireguard site-to-site traffic via a certain WAN

I'm not running 22.11 yet, but will happily test if there are any important changes there that might affect this.

Actions #3

Updated by → luckman212 over 1 year ago

edit: I was able to make it work for now by making sure to kill states and then having this pair of quick/block floating rules (one for each direction)

Actions

Also available in: Atom PDF