[EFW 2.4] System Access Policies not working

[Guest]

[edgeconsults]

I have been using 2.2 all this time because the nic's on the boxes i'm using were not compatible with 2.3.  I have been testing 2.4 now and the have had no problems with the NIC realtek 8168.  Everything works great with one exception.

I have tried to configure the system access policy to allow access to the router via SSH and 10443 from the red interface but it does not work.   It works on 2.2 but not 2.4.

Any ideas?

the http proxy works great.  port forwarding works great.  outgoing firewall works great too.  just the system access firewall does not.  i have not tried vpn because i am stuck trying to figure out why the system is not allowing access from the red interface to the box via ssh and 10443.

Thanks

Edwin

[edgeconsults]

I just tried modifying the system access rules and only having 1 rule.

source address:   blank
source interface:  red
service:                any
protocol:              any
policy action:        allow
enabled:              checked

i also tried this

source address:   blank
source interface:  red
service:                all
protocol:              tcp+udp
policy action:        allow
enabled:              checked

and still no luck.

i can however ping the box.

any ideas?  am i doing something wrong?

thanks

Edwin

[DFen]

I have a static IP address and this rule works fine for me for web and SSH access.

<mystaticIP>     <ANY>     TCP/10443 TCP/80 TCP/22 ALLOW

[johnthecomputerguy]

I am seeing this exact same issue.  Machine is a Dell Precision 390 workstation with the onboard Broadcom NIC being used for WAN.  System access rules are not being processed properly it seems.  Will try to swap WAN with one of the installed Intel PCI NICs to see if it is a driver issue.

[DFen]

Hi

I have tried some tests on my test machine

uplink main RED (DHCP) is down so has no IP INACTIVE
uplink test is defined as a gateway over Green (defaut gateway: 192.168.1.1) and is up

If I add rule Firewall->System access
source: blank
interface:any
service: any
policy:allow
enabled

It appears in the chain INPUTFW
ssh to firewall
to see the chain:
iptables -L INPUTFW -nv

If I change the rule to:
source: blank
interface:RED
service: any
policy:allow
enabled

Then nothing appears in the INPUTFW chain

I think this is a (known?) bug in 2.4

Setting the interface to Green or OpenVPN seems to work OK but RED does not.

Work-around
=========
if source IP is defined just set interface to "any"

If no source IP but rule is different for Green etc
Define rules for Green, OpenVPN, Orange etc first
Then define rule for RED but using interface "any"