pfsense-api
pfsense-api copied to clipboard
Cannot add firewall rules on ovpn interface
Hi,
Actually, i can set firewall rules on "normal" interfaces like wan, lan, optX... BUT fails when apply the same rules on my openvpn interface...
Litteral rule: "Accept all from any to any"
Datas sent for my opt1
interface (aka WORKSTATIONS):
{'client-id': 'admin', 'client-token': 'pfsense', 'type': 'pass', 'interface': 'WORKSTATION', 'ipprotocol': 'inet', 'protocol': 'any', 'src': 'any', 'srcport': 'any', 'dst': 'any', 'dstport': 'any', 'descr': 'Allow all from CLIENT', 'top': True, 'apply': True}
Result:
{'status': 'ok', 'code': 200, 'return': 0, 'message': 'Success', 'data': {'type': 'pass', 'interface': 'opt1', 'ipprotocol': 'inet', 'source': {'any': ''}, 'destination': {'any': ''}, 'descr': 'Allow all from CLIENT', 'tracker': 1653314302, 'created': {'time': 1653314302, 'username': '[email protected] (API)'}, 'updated': {'time': 1653314302, 'username': '[email protected] (API)'}}}
The same datas sent for my OpenVpn interface:
{'client-id': 'admin', 'client-token': 'pfsense', 'type': 'pass', 'interface': 'OPENVPN', 'ipprotocol': 'inet', 'protocol': 'any', 'src': 'any', 'srcport': 'any', 'dst': 'any', 'dstport': 'any', 'descr': 'Allow all from OpenVpn', 'top': True, 'apply': True}
Result:
{'status': 'bad request', 'code': 400, 'return': 4034, 'message': 'Firewall rule interface required', 'data': []}
The only difference i saw as user: OpenVpn interface is not directly visible from Interface dropdown menu:
But, is visible in Firewall
--> Rules
Adding this rule manually works.
Thanks
This looks like a duplicate of #169. The situation is still the same today, it would be a feature that would be implemented/prioritized at the same time the OpenVPN server endpoints would be released so both could be accurately tested by the E2E tests. The OpenVPN, IPsec, Wireguard, etc. interfaces for firewall rules are dependent on having those services configured before they are available, so at the moment that level of validation could not be tested without manually configuring those services.
I can keep this open as a feature request and update once there is a PR or release that includes this functionality.
Thanks!