pfSense

Scenario:
WAN interface WAN_TWO

There are rules on WAN_TWO with a forced gateway such as, for instance,

pass  in  quick  on $WAN_TWO  $GWGW_OPT2  proto { tcp udp }  from any to any port 1723  keep state  label "USER_RULE: PPTP Access" 

Coupled with this rule another one is automatically generated, with the code, I believe, related to ticket #1950, which is

pass  in  quick  on $WAN_TWO  proto { tcp udp }  from any  to <negate_networks> keep state  label "NEGATE_ROUTE: Negate policy routing for destination" 

and is invisible to the user accessing the web Interface.

Unfortunately, all rules below the aforementioned one are overshadowed by it, since the port specification is not inserted in the automatically-generated rule and therefore it matches any tcp/udp inbound connection on that interface, and therefore they cease working properly, either because the reply-to option is not specified, because they pass when they ought to be blocked, etc.

The only option is to place the incriminated rule at the bottom of the chain. The fact, however, that the autogenerated rule isn't known to the user is a source of unintended behaviour and confusion, and also not easy to debug.

Regards,
Fulvio Scapin