pfSense

There is similar code in filter.inc and captiveportal.inc for these rules. The code in filter.inc generates rules for pf, captiveportal.inc for ipfw. The code is nearly identical except for a few different intermediate steps specific to the respective filters.

https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/filter.inc#L2947
https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/captiveportal.inc#L492

Sometimes the code in filter.inc manages to collect the interface IP addresses, IP Alias VIPs and CARP VIPs, but other times it fails the same way as the code in captiveportal.inc

For example:

: grep 800 /tmp/rules.debug
pass in  quick on { em1 } proto tcp from any to { 192.168.71.2 192.168.71.1 1.2.3.4 } port { 8003 8002 } tracker 1000000551 keep state(sloppy)

: grep 800 /tmp/rules.debug
pass in  quick on { em1 em1 } proto tcp from any to { 192.168.71.2 192.168.71.2 } port { 8003 8002 } tracker 1000000551 keep state(sloppy)

There is apparently a much deeper issue here than anticipated.

Applied in changeset 6538d22fcb8068b276585b6cc2b4f7b9b0c58829.

Jim P wrote:

Applied in changeset 6538d22fcb8068b276585b6cc2b4f7b9b0c58829.

This resolved the issue for me, tested on PFSense 2.2.4 x64. Thanks!

A note on my previous comment:

First this fix didn't work, these rules were missing (in 'ipfw -x 2 show'):

allow ip from any to { 255.255.255.255 or 192.168.X.253 or 192.168.X.1 } in
allow ip from { 255.255.255.255 or 192.168.X.253 or 192.168.X.1 } to any out
allow icmp from { 255.255.255.255 or 192.168.X.253 or 192.168.X.1 } to any out icmptypes 0
allow icmp from any to { 255.255.255.255 or 192.168.X.253 or 192.168.X.1 } in icmptypes 8

Missing these rules means that everything is allowed through the captive portal. I had to disable the captive portal, click save, enable it again and hit save once more.