Bug #5476
closedDoes not appear possible to use policy routing for traffic originating from the firewall (self)
0%
Description
Summary of the issue:
- despite https://doc.pfsense.org/index.php/What_are_Floating_Rules stating that "Floating Rules can: Filter traffic from the firewall itself", it does not seem to work in real world testing
- I have replicated this with multiple test units, both hardware and virtual machines and was able to replicate this behavior on 2.2.4 and 2.2.5 (have not tested 2.3.....)
Repro:
- set up a pfsense 2.2.5 with 2 WAN uplinks
- set up a gateway group called "Failover" containing these in a Tier1->Tier2 failover arrangement
- create a floating rule with the following settings:
action: pass
interface: (none selected, or ALL selected)
direction: out
tcp ver: ipv4
protocol: any
source: This Firewall (self)
destination: any
under Advanced->Gateway choose the "Failover" routing group
- edit the "default allow" rule (last rule on the LAN interface) to make it also use the Failover routing group (Advanced->Gateway)
- ssh or console to the firewall
- ping 8.8.8.8
- from a computer attached to the pfsense LAN, set up a 2nd ping to 8.8.8.8
- pull the WAN1 connection
- pings on the pfsense console will timeout and NOT recover
- computer attached to the LAN will recover and traffic will fail over to the 2nd Tier gateway
Some reasons this is important are:
-when these multi-wan failures occur, pfSense is unable to do DNS lookups or send SMTP emails due to lack of a working gateway
-can't use the "allow default gateway switching" option because sometimes a gateway is for internal routing, not a true "WAN" and does not have internet access
-I believe on the forums others have noted that this bug also affects Squid as that proxy's traffic through the firewall and thus makes it susceptible to this routing bug
More details and discussion at https://forum.pfsense.org/index.php?topic=102053.0