I have a RB4011iGS+ and have setup one of the ethernet interfaces as 192.168.88.253 and connected to that interface is a device with IP 192.168.88.1
I have setup a forwarding rule to pass all packets going in and out that interface (ether10). But this rule never matches, and I log the failure as shown below.
I see that the interfaces for this packet (input and output) are both "unknown" in the log. Why? I need to match my firewall rule based on source interface (ether10) but if the interface is never recognized as ether10 then the rule won't work. What's wrong here? Why is the interface name (port) missing?
Firewall rule can't match packet by interface
You do not have the required permissions to view the files attached to this post.
Re: Firewall rule can't match packet by interface
No idea without seeing the config.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, VPN keys etc.)
/export file=anynameyouwish ( minus router serial number, any public WANIP information, VPN keys etc.)
Re: Firewall rule can't match packet by interface
I'm afraid to post that as :
1. It's embarassingly ugly (I learned how to setup a firewall on this box)
2. I'm afraid I will accidentally let something private slip into the output that now the whole internet can get into my firewall.
3. I've put lots of comment that mention my customer names etc...and would have to strip all that out.
Can I post just the interfaces, addresses, and routing table as below? (probably not enough, but maybe you see something stupid there already)
1. It's embarassingly ugly (I learned how to setup a firewall on this box)
2. I'm afraid I will accidentally let something private slip into the output that now the whole internet can get into my firewall.
3. I've put lots of comment that mention my customer names etc...and would have to strip all that out.
Can I post just the interfaces, addresses, and routing table as below? (probably not enough, but maybe you see something stupid there already)
Code: Select all
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
;;; Internal general network
0 172.31.254.1/24 172.31.254.0 bridge1-internal
1 172.31.250.1/24 172.31.250.0 ether5-wifilink
2 172.31.253.1/24 172.31.253.0 vlan10-Voice
3 172.31.252.1/24 172.31.252.0 vlan30-entertainment
4 172.31.251.1/24 172.31.251.0 vlan20-cameras
5 172.31.249.1/24 172.31.249.0 vlan40-guestwifi
;;; Road warrior WireGuard interface
6 172.31.247.1/24 172.31.247.0 wgRoadWarriors
;;; Mobile Hotspot Client Network
7 172.31.246.1/32 172.31.246.1 ether10-externalbackup
8 D x.x.x.x/27 x.x.x.x ether1-externalprimary
9 D 192.168.88.253/24 192.168.88.0 ether10-externalbackup
10 D 10.6.0.1/32 10.6.0.1 ether1-externalprimary
# DST-ADDRESS GATEWAY DISTANCE
0 Xs 172.31.232.0/24 l2tp-tunnel-from-XXXXX 1
1 Xs 172.31.246.0/24 172.31.246.1 1
DAd 0.0.0.0/0 x/x/x/x 1
;;; HOST-ON-WAN-PRIMARY
2 As 1.1.1.1/32 x.x.x.x 1
;;; HOST-ON-WAN-BACKUP
3 As 9.9.9.9/32 x.x.x.x 1
DAc 10.6.0.1/32 ether1-externalprimary 0
DAc x.x.x.x/27 ether1-externalprimary 0
4 As 172.31.231.0/24 172.31.247.2 2
5 As 172.31.232.0/24 172.31.247.2 2
6 As 172.31.233.0/24 172.31.247.2 2
7 As 172.31.234.0/24 172.31.247.2 2
8 As 172.31.235.0/24 172.31.247.2 2
9 IsH 172.31.246.0/24 172.31.246.1 1
DAc 172.31.246.1/32 ether10-externalbackup 0
DAc 172.31.247.0/24 wgRoadWarriors 0
DAc 172.31.249.0/24 vlan40-guestwifi 0
DAc 172.31.250.0/24 ether5-wifilink 0
DAc 172.31.251.0/24 vlan20-cameras 0
DAc 172.31.252.0/24 vlan30-entertainment 0
DAc 172.31.253.0/24 vlan10-Voice 0
DAc 172.31.254.0/24 bridge1-internal 0
0 R ether1-externalprimary ether 1500 1592 9578 08:55:31:06:F4:73
1 RS ether2-internal ether 1500 1592 9578 08:55:31:06:F4:74
2 XS ether3 ether 1500 1592 9578 08:55:31:06:F4:75
3 XS ether4 ether 1500 1592 9578 08:55:31:06:F4:76
4 R ether5-wifilink ether 1500 1592 9578 08:55:31:06:F4:77
5 X ether6 ether 1500 1592 9578 08:55:31:06:F4:78
6 X ether7 ether 1500 1592 9578 08:55:31:06:F4:79
7 X ether8 ether 1500 1592 9578 08:55:31:06:F4:7A
8 X ether9 ether 1500 1592 9578 08:55:31:06:F4:7B
9 R ether10-externalbackup ether 1500 1592 9578 08:55:31:06:F4:7C
10 X sfp-sfpplus1 ether 1500 1600 9586 08:55:31:06:F4:7D
11 R bridge1-internal bridge 1500 1592 08:55:31:06:F4:74
12 X l2tp-tunnel-from-xxxx l2tp-in
13 X xxxx-tunnel gre-tunnel 1476 65535
14 X pptp-tunnel-from-xxx pptp-in
15 R vlan10-Voice vlan 1500 1588 08:55:31:06:F4:74
16 R vlan20-cameras vlan 1500 1588 08:55:31:06:F4:74
17 R vlan30-entertainment vlan 1500 1588 08:55:31:06:F4:74
18 R vlan40-guestwifi vlan 1500 1588 08:55:31:06:F4:74
;;; Wireguard interface for mobile users
19 R wgRoadWarriors wg 1420 Re: Firewall rule can't match packet by interface
jpegs mean little to me, also hard on my old eyes LOL.
Re: Firewall rule can't match packet by interface
It is a text cut & paste!
Re: Firewall rule can't match packet by interface
Regardless, not the config.
Re: Firewall rule can't match packet by interface
At least pist the exact rule which doesn't work for you.
And a detail, it might be a hint: firewall rules may be executed before egress interface is known, routing decission is made after most firewall processing is done.
Also: screenshot in opening post also hints that ping is originated from router itself, pinging own IP address ... and that works entirely within its IP stack, so no interfaces are ever involved.
And a detail, it might be a hint: firewall rules may be executed before egress interface is known, routing decission is made after most firewall processing is done.
Also: screenshot in opening post also hints that ping is originated from router itself, pinging own IP address ... and that works entirely within its IP stack, so no interfaces are ever involved.
Who is online
Users browsing this forum: No registered users and 29 guests