1
17.1 Legacy Series / IPSEC fw rules don't trigger
« on: January 21, 2017, 11:46:05 pm »
Hi guys,
another odd issue i came across; the scenario is as follows:
APU2 running OPNsense 16.7.13-amd64 on FreeBSD 10.3-RELEASE-p14, connected via an IPSEC v2 LAN to LAN tunnel with a:
Soekris 5501-70 running OPNsense 17.1.r1-i386 on FreeBSD 11.0-RELEASE-p5
Tunnel seems to be up at the time when I'm making my tests - this is confirmed by seeing the traffic on the Soekris box in the fw log; both boxes' config has apropriate rules for allowing ICMP from a number of networks (using aliases) to networks TCP;ICMP;
The log confirms that pings arrived at the remote box and got blocked; clicking on the green arrow in the log entry creates an easy rule and even after filter reload, all ping attempts get blocked.
Note that the same applies to all (around 10) rules within the IPSEC tab - most rely on aliases for source/destination/dest.port but two are IP -> IP / any and those don't work either.
No other 17.1 boxes (have 2 more but diff hw/vm and on 10.3 instead) display the same behavior.
another odd issue i came across; the scenario is as follows:
APU2 running OPNsense 16.7.13-amd64 on FreeBSD 10.3-RELEASE-p14, connected via an IPSEC v2 LAN to LAN tunnel with a:
Soekris 5501-70 running OPNsense 17.1.r1-i386 on FreeBSD 11.0-RELEASE-p5
Tunnel seems to be up at the time when I'm making my tests - this is confirmed by seeing the traffic on the Soekris box in the fw log; both boxes' config has apropriate rules for allowing ICMP from a number of networks (using aliases) to networks TCP;ICMP;
The log confirms that pings arrived at the remote box and got blocked; clicking on the green arrow in the log entry creates an easy rule and even after filter reload, all ping attempts get blocked.
Note that the same applies to all (around 10) rules within the IPSEC tab - most rely on aliases for source/destination/dest.port but two are IP -> IP / any and those don't work either.
No other 17.1 boxes (have 2 more but diff hw/vm and on 10.3 instead) display the same behavior.