> On Dec 24, 2017, at 9:45 AM, Chris L <c...@viptalk.net> wrote: > > Not a bug. That is by design. Create the rules to pass the traffic you need > to pass on OPTX interfaces after you create them.
That's inconsistent with the LAN interface which has secret undocumented default rules that allow self traffic to the firewall from the interface network segment by default. To me this inconsistency does feel like a bug. >> Again, not a bug. There's a long open bug for it actually: https://redmine.pfsense.org/issues/5826 It will break your configuration whenever you configure IPSec between an OPT* and a remote destination whose CIDR block happens to be a superset of your interface CIDR block and you have been using any local service like DNS, HTTPS, SSH, etc. on the firewall. The traffic will be misrouted through the tunnel due to missing logic for bypassing the firewall self traffic from the tunnel. Matthew. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold