Feature #2676: Reply-to option in firewall rule - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Feature #2676

open

Reply-to option in firewall rule

Added by Miroslav Novotný about 12 years ago. Updated 10 months ago.

Status:

New

Priority:

Low

Assignee:

Category:

Rules / NAT

Target version:

Future

Start date:

11/09/2012

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Description

Hello,

I am trying to configure network scenario with multiple path to LAN network (with public IP addresses). I need to put the "reply-to" option into my firewall rules to routing the outcoming traffic back to internal router correctly. Unfortunately there is no way how to do this in PfSense GUI.

Suggested fix: Add "Reply Gateway" (or something like that) into "Advanced Features" section in a firewall rule. It should work similarly to "Gateway" feature which creates "route-to" option except the "reply-to" option is placed in the rule.

Thx,
Mirek

Files

Drawing1.png (28.4 KB) Drawing1.png

Miroslav Novotný, 11/09/2012 02:36 AM

History
Notes
Property changes

Actions

Copy link

Updated by Ermal Luçi about 12 years ago

Can you describe this more since its a bit of strange unless you have not the same subnet on multiple cards.

Actions

Copy link

Updated by Miroslav Novotný about 12 years ago

File Drawing1.png Drawing1.png added

It should be more clear from the attached picture.

The network 1.1.1.0/26 should be reachable from the Internet and both routers (10.0.0.6 and 10.0.0.13) should work in a failover mode.

There is no problem with incoming connection to 1.1.1.0/26 network. I have created the Gateway Groups (10.0.0.6 and 10.0.0.13) and the firewall rule on the uplink interface matching with packets with the destination in 1.1.1.0/26 with the gateway option set on this Gateway group. It's work as expected.

But, if some host in the 1.1.1.0/26 network initializes connection to the Internet, the reply packets are not routed to the live member of the Gateway Groups. After some research I've came up with the solution. I have created the firewall rule on the internal interface matching with packets with the source in 1.1.1.0/26 network and destination in the Internet with the reply-to option set on one of the gateway.

It's work. Unfortunately this cannot be set in the PfSense GUI and I lost the Failover functionality provided by Gateway Groups.

Actions

Copy link

Updated by Jeremiejig . over 7 years ago

Hello,

I'm also interested in this feature, for another use.

I need this feature to allow sslh (https://github.com/yrutschle/sslh#transparent-proxy-support) to spoof the src address for transparent proxying.

For that to work correctly I need to put a reply-to $GWsslh_server to get back the traffic to sslh.

For now I use the Anchor userrules to add this rules:

pass in quick log on $ZONE_WITH_SSLH reply-to ( vtnet1_vlan21 $sslh_server ) inet proto tcp from any to $openvpnserver port 1194 tracker 40002001 flags S/SA keep state label "USER_RULE: sslproxy openvpn" pass in quick log on $ZONE_WITH_SSLH reply-to ( vtnet1_vlan21 $sslh_server ) inet proto tcp from any to $https_server1 port 443 tracker 40002002 flags S/SA keep state label "USER_RULE: sslproxy web server 1" pass in quick log on $ZONE_WITH_SSLH reply-to ( vtnet1_vlan21 $sslh_server ) inet proto tcp from any to $https_server2 port 443 tracker 40002003 flags S/SA keep state label "USER_RULE: sslproxy web server 2"

I didn't get this scenario to work with route-to, as I didn't get to match any rules with SA tcp packet.
Also the reply-to method seems more proper (only one rules instead of a pair of two with route-to `if it works`)

Regards,
jeremiejig

Actions

Copy link

Updated by Billy Yao almost 2 years ago

Upvote for this request.
We have a rare scenario that requires this reply-to been added to some of the firewall rules. and the GUI does not provide that so far.
So I'm dynamically modify the dumped rules at /tmp/rules.debug to add the 'reply-to' to some of our rules then use pfctl -f to apply it.

If the GUI could provide a way to force add this reply-to when creating the rules. that will be great!

Actions

Copy link

Updated by Marcos M 10 months ago

Status changed from New to Rejected

From what I can tell, the referenced scenarios would be solved by adding a gateway to the interface. This is the currently supported way of using reply-to. When an exception is needed on interfaces with gateways, an option is available per rule to disable reply-to. If there's a scenario that is not covered by this, the feature can be reconsidered.

Actions

Copy link

Updated by Jim Pingle 10 months ago

Status changed from Rejected to New
Priority changed from Normal to Low

There are some scenarios where it would be nice to have the ability to force reply-to to use a specific value and not be automatic. For example, cases with multiple gateways on the same interface, or certain VPNs that may not have the exact expected behavior with the automatic settings.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Feature #2676

Reply-to option in firewall rule

Updated by Ermal Luçi about 12 years ago

Updated by Miroslav Novotný about 12 years ago

Updated by Jeremiejig . over 7 years ago

Updated by Billy Yao almost 2 years ago

Updated by Marcos M 10 months ago

Updated by Jim Pingle 10 months ago