• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Policy-based routing isn't pushing traffic through the correct gateway

Scheduled Pinned Locked Moved OpenVPN
11 Posts 3 Posters 882 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    ctuchik
    last edited by May 23, 2023, 1:54 PM

    Hi,

    I know this keeps getting asked but I'm really stuck.
    I keep going back here to double check my work but it seems fine!

    Basically, if a host matches a group I call privileged, the gateway is direct to WAN. If it does not, the gateway goes through the VPN.

    But my public IP is shown when I used:

    curl ipecho.net/plain
    

    I can push traffic through the correct interface by doing this on the firewall shell:

    curl --interface ovpnc4 ipecho.net/plain
    

    There's no errors in the openvpn client log, and I turned the gateway monitoring off for it.

    I have tried turning off pfblockerng, but that doesn't help either.

    Can someone please help me?

    Screenshot_2023-05-23_14-49-29.png

    V B 2 Replies Last reply May 23, 2023, 3:51 PM Reply Quote 0
    • V
      viragomann @ctuchik
      last edited by May 23, 2023, 3:51 PM

      @ctuchik
      Enable the logging in both concerned rule and check then, which is applied to the traffic.

      Consider also to flush the states.

      1 Reply Last reply Reply Quote 1
      • B
        Bob.Dig LAYER 8 @ctuchik
        last edited by May 23, 2023, 4:03 PM

        @ctuchik Where did you run curl?

        1 Reply Last reply Reply Quote 1
        • C
          ctuchik
          last edited by May 23, 2023, 4:54 PM

          @viragomann OK logging enabled on both, I am looking in
          Status > System Logs
          Then filtering the log for the ID of the rules.
          Is this area up to the second after a refresh? There isn't much in there.
          I flushed the states too, but it doesn't seem to fix anything.

          DNS, speedtests, curl = nothing works unless the host is made a member of the "Privileged" Alias. Traffic simply won't route through the VPN unless I hop on the firewall using ssh and do a curl through it, specifying the interface to use.

          @bob-dig: curl is being run from a host that is a member of the "Privileged" Alias, one that is not, and also in an ssh shell of pfsense as well.

          B 1 Reply Last reply May 23, 2023, 4:56 PM Reply Quote 0
          • B
            Bob.Dig LAYER 8 @ctuchik
            last edited by Bob.Dig May 23, 2023, 4:57 PM May 23, 2023, 4:56 PM

            @ctuchik said in Policy-based routing isn't pushing traffic through the correct gateway:

            unless I hop on the firewall using ssh and do a curl through it, specifying the interface to use.

            Then it is an oubound NAT problem. You have to configure it accordingly.

            C 1 Reply Last reply May 23, 2023, 5:03 PM Reply Quote 1
            • C
              ctuchik @Bob.Dig
              last edited by May 23, 2023, 5:03 PM

              @bob-dig In case I get reprimanded for what seems like outbound NAT not being in manual mode: This firewall is virtual, and I did try a VM snapshot, moving to manual, copying the correct rule and changing the interface to openvpn instead - this fixed nothing.

              Here is how that looks at the moment:
              Screenshot_2023-05-23_17-58-58.png

              Perfectly happy to do it again though?

              B C 2 Replies Last reply May 23, 2023, 5:11 PM Reply Quote 0
              • B
                Bob.Dig LAYER 8 @ctuchik
                last edited by Bob.Dig May 23, 2023, 5:11 PM May 23, 2023, 5:11 PM

                @ctuchik With that screenshot shown, it is no wonder, that it is not working. For OpenVPN you need to make some rules like it is described in the tutorials.
                You could try to replace "this firewall" with any, for testing.

                C 1 Reply Last reply May 23, 2023, 5:18 PM Reply Quote 1
                • C
                  ctuchik @ctuchik
                  last edited by ctuchik May 23, 2023, 5:12 PM May 23, 2023, 5:12 PM

                  Is it relevant to mention the hypervisor hosting pfsense is in a DMZ behind a router that is connected directly to the Internet?

                  *EDIT OK will try that.

                  1 Reply Last reply Reply Quote 0
                  • C
                    ctuchik @Bob.Dig
                    last edited by May 23, 2023, 5:18 PM

                    @bob-dig It's working, you were right and I'm grateful you helped :)
                    If you wouldn't mind helping me learn how this fixed my issue?
                    I vaguely understand the rule to mean this: "any outbound traffic on this interface should be translated as if it has come from the current VPN address", so since I mentioned "this firewall ", doesn't that cover everything already?

                    B 1 Reply Last reply May 23, 2023, 5:20 PM Reply Quote 0
                    • B
                      Bob.Dig LAYER 8 @ctuchik
                      last edited by Bob.Dig May 23, 2023, 5:21 PM May 23, 2023, 5:20 PM

                      @ctuchik It covers only the firewall itself. "Any" is not advised though, you should define all the source networks (LANs) you like to use with the vpn.

                      C 1 Reply Last reply May 23, 2023, 5:24 PM Reply Quote 1
                      • C
                        ctuchik @Bob.Dig
                        last edited by May 23, 2023, 5:24 PM

                        @bob-dig OK got it, thanks again.

                        1 Reply Last reply Reply Quote 0
                        9 out of 11
                        • First post
                          9/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received