Policy based routing

jeremyj

@nogbadthebad

Thanks, but I do not want the traffic to egress at all if it cannot egress over the vpn. If I have tiers won’t it just go to tier 2 when tier 1 is down?

NogBadTheBad

@jeremyj Oh sorry I misread your post.

NogBadTheBad

Post a screenshot of your rules.

jeremyj

@nogbadthebad
Thanks I’ve added pics to the question above. There are only three options set: the source computer, the gateway, the pipe. Thanks for the help.

jeremyj

I think it may be that you have to set an advanced option to force the gateway use. I think it is documented here:
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#enforcing-gateway-use

Personally, that seems a really counterintuitive thing to have to set. It rather defeats the purpose of selecting a specific gateway. If failover to another gateway is wanted, that seems the whole purpose of gateway groups.

If I am wrong or right about this being the source of my original problem, grateful if someone could confirm/disconfirm.

Bob.Dig

@jeremyj said in Policy based routing:

https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#enforcing-gateway-use

Your link is the answer, per default pfsense want you or your "company" to be able to "work" when a gateway is failing, so you as the admin have to enforce that it doesn't work. At first pfSense is a firewall for businesses and not a VPN-Client for privacyVPNs for homeuser.

jeremyj

@bob-dig
Thank you. Appreciate you taking time to confirm.

I hope the author manual sees this post! It would be helpful to make that behaviour clearer generally in the routing and gateway terminology employed in the manual as the wording in most places suggests that a gateway “will” be used. But it seems “may” is more accurate, given the default behaviour.

Cool_Corona

@bob-dig But thats a bad excuse for something that shouldnt happen in an enterprise grade FW.

When I DONT state that there is a failover GW, then ALL policy based routing to the failing GW should NOT be rerouted.

This is basic stuff.... This is networking for dummies.

This is a flaw.

jeremyj

@cool_corona

Yep. It’s also an externally awkward method of enforcing the gateway egress since if you set the advanced option then instead of privately substituting in another gateway, pfsense just disregards the rule entirely! So you have to create a further rule to then block egress. Overly complex and counterintuitive, compounded by lax terminology in the manual around rules and gateways.

Bob.Dig

@jeremyj I don't find it that complex but it is also not a consumer product.
Instead of changing the advanced option you can create a VPN Killswitch via tagging. You would tag packets in your rule and then create a blockrule on WAN watching for those tags and if tagged traffic is reaching WAN that blockrule would trigger.

stephenw10

In System > Advanced > Misc you need to set Skip rules when gateway is down.

Otherwise the pass rule is still created but without the VPN gateway set when it goes down. Hence the traffic leaves over the WAN directly.

Steve

Edit: What Bob said!