Policy-based routing isn't pushing traffic through the correct gateway

ctuchik · May 23, 2023, 1:54 PM

Hi,

I know this keeps getting asked but I'm really stuck.
I keep going back here to double check my work but it seems fine!

Basically, if a host matches a group I call privileged, the gateway is direct to WAN. If it does not, the gateway goes through the VPN.

But my public IP is shown when I used:

curl ipecho.net/plain

I can push traffic through the correct interface by doing this on the firewall shell:

curl --interface ovpnc4 ipecho.net/plain

There's no errors in the openvpn client log, and I turned the gateway monitoring off for it.

I have tried turning off pfblockerng, but that doesn't help either.

Can someone please help me?

viragomann · May 23, 2023, 3:51 PM

@ctuchik
Enable the logging in both concerned rule and check then, which is applied to the traffic.

Consider also to flush the states.

Bob.Dig · May 23, 2023, 4:03 PM

@ctuchik Where did you run curl?

ctuchik · May 23, 2023, 4:54 PM

@viragomann OK logging enabled on both, I am looking in
Status > System Logs
Then filtering the log for the ID of the rules.
Is this area up to the second after a refresh? There isn't much in there.
I flushed the states too, but it doesn't seem to fix anything.

DNS, speedtests, curl = nothing works unless the host is made a member of the "Privileged" Alias. Traffic simply won't route through the VPN unless I hop on the firewall using ssh and do a curl through it, specifying the interface to use.

@bob-dig: curl is being run from a host that is a member of the "Privileged" Alias, one that is not, and also in an ssh shell of pfsense as well.

Bob.Dig · May 23, 2023, 4:57 PM

@ctuchik said in Policy-based routing isn't pushing traffic through the correct gateway:

unless I hop on the firewall using ssh and do a curl through it, specifying the interface to use.

Then it is an oubound NAT problem. You have to configure it accordingly.

ctuchik · May 23, 2023, 5:03 PM

@bob-dig In case I get reprimanded for what seems like outbound NAT not being in manual mode: This firewall is virtual, and I did try a VM snapshot, moving to manual, copying the correct rule and changing the interface to openvpn instead - this fixed nothing.

Here is how that looks at the moment:

Perfectly happy to do it again though?

Bob.Dig · May 23, 2023, 5:11 PM

@ctuchik With that screenshot shown, it is no wonder, that it is not working. For OpenVPN you need to make some rules like it is described in the tutorials.
You could try to replace "this firewall" with any, for testing.

ctuchik · May 23, 2023, 5:12 PM

Is it relevant to mention the hypervisor hosting pfsense is in a DMZ behind a router that is connected directly to the Internet?

*EDIT OK will try that.

ctuchik · May 23, 2023, 5:18 PM

@bob-dig It's working, you were right and I'm grateful you helped :)
If you wouldn't mind helping me learn how this fixed my issue?
I vaguely understand the rule to mean this: "any outbound traffic on this interface should be translated as if it has come from the current VPN address", so since I mentioned "this firewall ", doesn't that cover everything already?

Bob.Dig · May 23, 2023, 5:21 PM

@ctuchik It covers only the firewall itself. "Any" is not advised though, you should define all the source networks (LANs) you like to use with the vpn.

ctuchik · May 23, 2023, 5:24 PM

@bob-dig OK got it, thanks again.