Inconsistency in gateway selection

hpeyerl

I'm trying to policy route all traffic from one of my LAN hosts through an OpenVPN tunnel.

The OpenVPN tunnel is working well.

I've created an alias that contains the host I want to push through the VPN.

There are 3 relevant images in: screenshots

• The first image shows (in the URL bar) that MAILVPN_VPNV4 is id=0.
• The second image shows that when I hover over the link for MAILVPN_VPNV4, the link at the bottom of the browser shows id=2
• When I click on the MAILVPN_VPNV4 link, it takes me to the gateway that is actually id=2 which is my STARLINK gateway.

I can't get the traffic from the host in vpn_hosts alias to actually go out the OpenVPN gateway (as evidenced by tcpdump) and I speculate gateway selection is the reason for that. However, if I configure the Gateway to errantly select my STARLINK gateway so that the link in the rule correctly references id=0, traffic still doesn't go through the OpenVPN link.

viragomann

@hpeyerl said in Inconsistency in gateway selection:

When I click on the MAILVPN_VPNV4 link, it takes me to the gateway that is actually id=2 which is my STARLINK gateway.

This could be an issue naturally.

Is the MAILVPN_VPNV4 gateway shown up as "online" in Status > Gateways?

I can't get the traffic from the host in vpn_hosts alias to actually go out the OpenVPN gateway (as evidenced by tcpdump) and I speculate gateway selection is the reason for that.

So can you see the traffic going out on the STARLINK gateway?

BTW: Consider that your policy routing rule will force any matching traffic to the MAILVPN_VPNV4 gateway, in case it would work. Hence the devices in the respective alias cannot access any other internal host, e.g. for DNS requests.

hpeyerl

@viragomann

@viragomann said in Inconsistency in gateway selection:

Is the MAILVPN_VPNV4 gateway shown up as "online" in Status > Gateways?

Well that was the clue I needed. It was showing up 'red' when I hovered over the link and I wondered why. It hadn't occurred to me to look in Status->Gateways because I could ping the OpenVPN gateway from the pfSense shell prompt. But Status->Gateways did just show it as down. I had a misconfiguration in my server.conf (did not have 'topology subnet' so the gateway being pushed was 10.8.0.9 which is the other end of the ovpnc connection, instead of 10.8.0.1)

So can you see the traffic going out on the STARLINK gateway?

That is (was) correct.

With 'topology subnet' on the server, it all just works now.

Hence the devices in the respective alias cannot access any other internal host, e.g. for DNS requests.

"internal" or "internet"? I assume by "internal" hosts you mean other hosts on the same LAN which they should be able to do since they're on the same L2 segment. But yes, that is what I'm wanting here.

So clearly the gateway selection in the webGUI was not the culprit but it still looks like a bug to me.

Thanks for pointing me in the right direction!

viragomann

@hpeyerl said in Inconsistency in gateway selection:

"internal" or "internet"? I assume by "internal" hosts you mean other hosts on the same LAN which they should be able to do since they're on the same L2

Yes, traffic on the same L2 will not pass the router, but any other traffic which goes to it would be forced to the gateway. These could be other subnets or even packets destined to pfSense itself.

hpeyerl

@viragomann

@viragomann said in Inconsistency in gateway selection:

Yes, traffic on the same L2 will not pass the router, but any other traffic which goes to it would be forced to the gateway. These could be other subnets or even packets destined to pfSense itself.

ok, yes. That is my intent. Thanks. :)