IPIP with pfSense Firewalls

You simply need to edit the GUI php files so that you can select IPIP, AX25 etc from the GUI and then it all works. 

I used this advice that I found in a mailing list a few years back.


How can i modify my firewall to allow packet forwarding of Protocol 4 and 93?  This is for 44net (AMPR.ORG) traffic which is an encapsulated IPIP packet as well as RIPd broadcasts.

Mostly you'd just need to find and edit the protocol lists in the GUI and add the protocol's name from /etc/protocols.


usr/local/www/firewall_nat_edit.php:535:                      <?php $protocols explode(" ""TCP UDP TCP/UDP GRE ESP ICMP"); foreach ($protocols as $proto): ?>
usr/local/www/firewall_nat_out_edit.php:488:                            <?php $protocols explode(" ""any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp pfsync");
usr/local/www/firewall_rules_edit.php:861:                              $protocols explode(" ""TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP OSPF any carp pfsync");

So you'd add " ipencap ax.25" in those lists.

Can't say for sure that will work with those protocols, but that's the usual path to take.

Basicly one edits some GUI pages so that the drop down menu's offer the protocols you want to use. I added quite a few including IPIP, IPtunnel, AX25 etc. pFsense (and probably m0n0Wall etc) can do these protocols but the GUI developers did not list all the protocols that the platform can do. Break open /etc/protocols for a HUGE list of the stuff pFsense can do,most of which is not listed in the GUI.

Alternatively, you could always write the pFsense rules into the config files by hand thus eliminating the need for the GUI. I can never remember the subtle switches etc so use the GUI.

pFsense has a file editor available as a GUI addon which could make life easier by I like using the command line editor "vi". Simply SSH into the box, select "shell" from the menu and you have a BSD (kinda like Linux) command line.

The usual health warnings apply!!!

Mark, G7LTT


Thanks for sharing that information.

It may be beneficial to make an overlay that can easily be sftp'd to the target pfsense device.

Or the pfsense project could be forked similar to how open wrt was forked for ham use as this has just as much flexibility as the hsmm-mesh software.

I have been a deployer and tester for years, great software.  I have also created custom patched versions to support things like soundmodems, strange wifi cards, and weird 3g card drivers.

If there is anyone interested, please send me an email off list as I have been thinking of a ham version of pfsense for years.

Best Regards,

Elias Basse
SELCOMS Board Member
Louisiana AMPRNET Coordinator