Page 1 of 1
Firewall rule can't match packet by interface
Posted: Thu Nov 28, 2024 11:50 pm
by ocgltd
I have a RB4011iGS+ and have setup one of the ethernet interfaces as 192.168.88.253 and connected to that interface is a device with IP 192.168.88.1
I have setup a forwarding rule to pass all packets going in and out that interface (ether10). But this rule never matches, and I log the failure as shown below.
I see that the interfaces for this packet (input and output) are both "unknown" in the log. Why? I need to match my firewall rule based on source interface (ether10) but if the interface is never recognized as ether10 then the rule won't work. What's wrong here? Why is the interface name (port) missing?
mik1.jpg
Re: Firewall rule can't match packet by interface
Posted: Thu Nov 28, 2024 11:58 pm
by anav
No idea without seeing the config.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, VPN keys etc.)
Re: Firewall rule can't match packet by interface
Posted: Fri Nov 29, 2024 12:03 am
by ocgltd
I'm afraid to post that as :
1. It's embarassingly ugly (I learned how to setup a firewall on this box)
2. I'm afraid I will accidentally let something private slip into the output that now the whole internet can get into my firewall.
3. I've put lots of comment that mention my customer names etc...and would have to strip all that out.
Can I post just the interfaces, addresses, and routing table as below? (probably not enough, but maybe you see something stupid there already)
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
;;; Internal general network
0 172.31.254.1/24 172.31.254.0 bridge1-internal
1 172.31.250.1/24 172.31.250.0 ether5-wifilink
2 172.31.253.1/24 172.31.253.0 vlan10-Voice
3 172.31.252.1/24 172.31.252.0 vlan30-entertainment
4 172.31.251.1/24 172.31.251.0 vlan20-cameras
5 172.31.249.1/24 172.31.249.0 vlan40-guestwifi
;;; Road warrior WireGuard interface
6 172.31.247.1/24 172.31.247.0 wgRoadWarriors
;;; Mobile Hotspot Client Network
7 172.31.246.1/32 172.31.246.1 ether10-externalbackup
8 D x.x.x.x/27 x.x.x.x ether1-externalprimary
9 D 192.168.88.253/24 192.168.88.0 ether10-externalbackup
10 D 10.6.0.1/32 10.6.0.1 ether1-externalprimary
# DST-ADDRESS GATEWAY DISTANCE
0 Xs 172.31.232.0/24 l2tp-tunnel-from-XXXXX 1
1 Xs 172.31.246.0/24 172.31.246.1 1
DAd 0.0.0.0/0 x/x/x/x 1
;;; HOST-ON-WAN-PRIMARY
2 As 1.1.1.1/32 x.x.x.x 1
;;; HOST-ON-WAN-BACKUP
3 As 9.9.9.9/32 x.x.x.x 1
DAc 10.6.0.1/32 ether1-externalprimary 0
DAc x.x.x.x/27 ether1-externalprimary 0
4 As 172.31.231.0/24 172.31.247.2 2
5 As 172.31.232.0/24 172.31.247.2 2
6 As 172.31.233.0/24 172.31.247.2 2
7 As 172.31.234.0/24 172.31.247.2 2
8 As 172.31.235.0/24 172.31.247.2 2
9 IsH 172.31.246.0/24 172.31.246.1 1
DAc 172.31.246.1/32 ether10-externalbackup 0
DAc 172.31.247.0/24 wgRoadWarriors 0
DAc 172.31.249.0/24 vlan40-guestwifi 0
DAc 172.31.250.0/24 ether5-wifilink 0
DAc 172.31.251.0/24 vlan20-cameras 0
DAc 172.31.252.0/24 vlan30-entertainment 0
DAc 172.31.253.0/24 vlan10-Voice 0
DAc 172.31.254.0/24 bridge1-internal 0
0 R ether1-externalprimary ether 1500 1592 9578 08:55:31:06:F4:73
1 RS ether2-internal ether 1500 1592 9578 08:55:31:06:F4:74
2 XS ether3 ether 1500 1592 9578 08:55:31:06:F4:75
3 XS ether4 ether 1500 1592 9578 08:55:31:06:F4:76
4 R ether5-wifilink ether 1500 1592 9578 08:55:31:06:F4:77
5 X ether6 ether 1500 1592 9578 08:55:31:06:F4:78
6 X ether7 ether 1500 1592 9578 08:55:31:06:F4:79
7 X ether8 ether 1500 1592 9578 08:55:31:06:F4:7A
8 X ether9 ether 1500 1592 9578 08:55:31:06:F4:7B
9 R ether10-externalbackup ether 1500 1592 9578 08:55:31:06:F4:7C
10 X sfp-sfpplus1 ether 1500 1600 9586 08:55:31:06:F4:7D
11 R bridge1-internal bridge 1500 1592 08:55:31:06:F4:74
12 X l2tp-tunnel-from-xxxx l2tp-in
13 X xxxx-tunnel gre-tunnel 1476 65535
14 X pptp-tunnel-from-xxx pptp-in
15 R vlan10-Voice vlan 1500 1588 08:55:31:06:F4:74
16 R vlan20-cameras vlan 1500 1588 08:55:31:06:F4:74
17 R vlan30-entertainment vlan 1500 1588 08:55:31:06:F4:74
18 R vlan40-guestwifi vlan 1500 1588 08:55:31:06:F4:74
;;; Wireguard interface for mobile users
19 R wgRoadWarriors wg 1420
Re: Firewall rule can't match packet by interface
Posted: Fri Nov 29, 2024 12:13 am
by anav
jpegs mean little to me, also hard on my old eyes LOL.
Re: Firewall rule can't match packet by interface
Posted: Fri Nov 29, 2024 3:40 am
by ocgltd
It is a text cut & paste!
Re: Firewall rule can't match packet by interface
Posted: Fri Nov 29, 2024 6:16 am
by anav
Regardless, not the config.
Re: Firewall rule can't match packet by interface
Posted: Fri Nov 29, 2024 6:50 am
by mkx
At least pist the exact rule which doesn't work for you.
And a detail, it might be a hint: firewall rules may be executed before egress interface is known, routing decission is made after most firewall processing is done.
Also: screenshot in opening post also hints that ping is originated from router itself, pinging own IP address ... and that works entirely within its IP stack, so no interfaces are ever involved.