pfsense-api icon indicating copy to clipboard operation
pfsense-api copied to clipboard

Published 20 hours ago verified publisher icon jaredhendrickson13

Cannot add firewall rules on ovpn interface

Open mitch40 opened this issue 2 years ago • 1 comments

Hi,

Actually, i can set firewall rules on "normal" interfaces like wan, lan, optX... BUT fails when apply the same rules on my openvpn interface...

Litteral rule: "Accept all from any to any"

Datas sent for my opt1 interface (aka WORKSTATIONS): {'client-id': 'admin', 'client-token': 'pfsense', 'type': 'pass', 'interface': 'WORKSTATION', 'ipprotocol': 'inet', 'protocol': 'any', 'src': 'any', 'srcport': 'any', 'dst': 'any', 'dstport': 'any', 'descr': 'Allow all from CLIENT', 'top': True, 'apply': True}

Result: {'status': 'ok', 'code': 200, 'return': 0, 'message': 'Success', 'data': {'type': 'pass', 'interface': 'opt1', 'ipprotocol': 'inet', 'source': {'any': ''}, 'destination': {'any': ''}, 'descr': 'Allow all from CLIENT', 'tracker': 1653314302, 'created': {'time': 1653314302, 'username': '[email protected] (API)'}, 'updated': {'time': 1653314302, 'username': '[email protected] (API)'}}}

The same datas sent for my OpenVpn interface:

{'client-id': 'admin', 'client-token': 'pfsense', 'type': 'pass', 'interface': 'OPENVPN', 'ipprotocol': 'inet', 'protocol': 'any', 'src': 'any', 'srcport': 'any', 'dst': 'any', 'dstport': 'any', 'descr': 'Allow all from OpenVpn', 'top': True, 'apply': True}

Result: {'status': 'bad request', 'code': 400, 'return': 4034, 'message': 'Firewall rule interface required', 'data': []}

The only difference i saw as user: OpenVpn interface is not directly visible from Interface dropdown menu:

interfaces

But, is visible in Firewall --> Rules

firewall

Adding this rule manually works.

Thanks

mitch40 avatar May 23 '22 14:05 mitch40

This looks like a duplicate of #169. The situation is still the same today, it would be a feature that would be implemented/prioritized at the same time the OpenVPN server endpoints would be released so both could be accurately tested by the E2E tests. The OpenVPN, IPsec, Wireguard, etc. interfaces for firewall rules are dependent on having those services configured before they are available, so at the moment that level of validation could not be tested without manually configuring those services.

I can keep this open as a feature request and update once there is a PR or release that includes this functionality.

Thanks!

jaredhendrickson13 avatar May 24 '22 15:05 jaredhendrickson13