Bug #13047
closed
Firewall rules on WireGuard interfaces ignored, state counters not updating and always show 0/0
0%
Description
Firewall rules added to "WireGuard" are processed, but rules added to specific interfaces are ignored.
This issue is repeatable and has been tested on 4 machines each running PfSense Plus 22.02 and the latest WireGuard package (0.1.6_1)
Files
| WireGuard.png (376 KB) WireGuard.png | |||
| Interface Ignored.png (465 KB) Interface Ignored.png | |||
| Ignored.png (112 KB) Ignored.png | |||
| Disabled.png (356 KB) Disabled.png |
Updated by Jim Pingle over 2 years ago
- Status changed from New to Not a Bug
Group rules (such as the WireGuard tab) are processed before per-interface rules. Assigned WireGuard interfaces are still members of the group, so there is no opportunity to match the interface rules so long as the packet matches a group rule.
Disable the group rule or scope it better so that it does not match the addresses on the assigned WireGuard interface and then it will match the interface rule(s).
Updated by Adam Goldberg over 2 years ago
- File Disabled.png Disabled.png added
- File Ignored.png Ignored.png added
This likely needs to be re-opened. Even with the group rule removed and also disabled, interface rules are ignored.
Updated by Jim Pingle over 2 years ago
I can't reproduce that here on snapshots. I have no group rules, only rules on assigned WG interfaces. Traffic passes exactly as expected and there is data on the counters.
Updated by Adam Goldberg over 2 years ago
Thanks, just tested on snapshots and I can confirm this works as expected on 22.05 snapshots. It does not appear to work on 22.02