Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Policy-based routing: directly attached interface can never be overridden

    Scheduled Pinned Locked Moved NAT
    10 Posts 2 Posters 662 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      phil80
      last edited by phil80

      Here's my setup:

      • pfsense with VLAN10 (192.168.10.1/24) and VLAN300 (172.26.1.1/30).
      • CBS350 L3 switch: VLAN10 (192.168.10.2/24) and VLAN300 (172.26.1.2/30).

      CBS350 is the default gateway doing intervlan routing for VLAN10.
      Default 0.0.0.0/0 route on cbs350 is 172.26.1.1.

      So, all internet traffic is routed from VLAN10 clients -> cbs350 -> pfsense VLAN300 -> WAN.

      I keep VLAN10 interface set on pfsense so that it can provide DNS/DHCP/NTP services to VLAN10. I keep it only for lab and educational network testing.

      On pfsense, I added a gateway named cbs350_gw with:

      • interface = VLAN300
      • gateway = 172.26.1.2

      On pfsense, I added a NAT outbound in hybrid mode with a manual rule above automatic rules:

      • interface = VLAN300
      • source = VLAN10 subnets
      • destination = any
      • translation address = VLAN300 address.

      On pfsense VLAN300 interface, I added a firewall rule with:

      • source = VLAN10
      • target = internet alias
      • disable reply-to = checked
      • gateway = cbs350_gw

      With this, return internet traffic should be symmetric and returning through VLAN300.
      However, ping 8.8.8.8 from VLAN10 hosts shows echo requests going out from VLAN300 (expected) but replies still flowing through VLAN10 interface on pfsense

      Note: pfsense cannot add static routes for directly connected interfaces.

      To summarize the current state:
      Forward Path (VLAN10 Client -> Internet):

      • Client 192.168.10.x -> CBS350 192.168.10.2 (Default Gateway)
      • CBS350 routes 0.0.0.0/0 to pfSense 172.26.1.1
      • Traffic arrives on pfSense VLAN300 (from 172.26.1.2 / CBS350).
      • Outbound NAT Rule on pfSense (Source 192.168.10.0/24 -> 172.26.1.1 on VLAN300) works, as evidenced by echo requests going out VLAN300.
      • Traffic goes out pfSense WAN.

      Return Path (Internet -> VLAN10 Client):

      • Reply arrives on pfSense WAN.
      • pfSense de-NATs, destination is 192.168.10.x.
      • Problem: pfSense tries to send this reply out its VLAN10 interface (which has 192.168.10.1/24), rather than back through VLAN300 to the CBS350.

      Setting a gateway override in VLAN300 should make policy-based routing work as advertised. Why pfsense seems to always priorize locally attached interface over the policy based routing ?

      Obviously, the onyl proper fix would be to remove VLAN10 interface from pfsense. Still, technically, why this policy-based routing setup doesn't work ? Is it a bug or a kernel based implementation ? What's teh puropose of the gateway override in firewall rules in that case as they are supposed o make policy-based routing possible ?

      Please just answer/explain the technical part I mention and no need to general statements like: just remove VLAN10 interface or use pfsense as gateway

      johnpozJ P 2 Replies Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @phil80
        last edited by johnpoz

        @phil80 said in Policy-based routing: directly attached interface can never be overridden:

        I keep VLAN10 interface set on pfsense so that it can provide DNS/DHCP/NTP services to VLAN10.

        That is going to always cause issues.. A transit network should be used for routing to downstream networks. If you are using vlan10 as a transit - there shouldn't be any hosts on it or yeah your going to run into routing issues.

        So you think you should be able to create a route statement that says go to some other IP to get to network A, when the device has an interface in network A? Yeah that is not a thing.

        If you want to do such a thing you would have to nat at your cbs350 so the traffic looks like its coming from the cbs350 IP in your transit network vs the actual source IP of 192.168.10..

        Or, just because you don't want to hear it doesn't mean its not the correct way to do it - there shouldn't be an interface on your router for vlan 10, if you want to use vlan 300 as your transit to get to the network 192.168.10..

        If you want a vlan 10 on pfsense, then use that as the default gateway for devices on vlan 10, and set specific routes on this device to use your cbs350 as route to get to other networks being routed off your 350.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

        P 1 Reply Last reply Reply Quote 0
        • P Offline
          phil80 @phil80
          last edited by phil80

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • P Offline
            phil80 @johnpoz
            last edited by

            @johnpoz
            Yes, I fully got your answer. I can confirm that the way I posted is asymmetric internet return traffic with all security issues

            What's the purpose of the gateway override and disable reply-to in advanced firewall rules in that case ? Why they don't kick for internet return traffic after d-nat on WAN in this case ? I even tried applying them using a floating rule for VLAN300 in out direction but VLAN10, locally attached, is always priorized for return traffic. Am I missing a network fundamental or the policy-based firewall rule only applies to interfaces not directly connected ?

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator @phil80
              last edited by

              @phil80 I think your misunderstanding a policy route.. And you can't tell pfsense to send to IP address on network B to get to network A, when pfsense has an IP in network A.

              You can either nat at your 350 so pfsense will send the return traffic back to your 350 for it to route it to the 192.168.10 address. Or you can remove the asymmetrical setup completely.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

              P 1 Reply Last reply Reply Quote 0
              • P Offline
                phil80 @johnpoz
                last edited by

                @johnpoz
                Sure, I was assuming that:
                1- NAT made on outgoing traffic from transit VLAN300 (source VLAN10, translating to VLAN300 address) would kick in for outgoing internet traffic from VLAN10 -> CBS350 -> VLAN300 -> NAT rule on VLAN300 -> WAN
                2- If I understand it well, D-Nat happens on return traffic and the source address translates back to VLAN10.
                3- Where I thought it would be ok is to set the gateway on VLAN300 firewall rule so that outgoing replies are forwarded to the VLAN300 gateway and not VLAN10.

                Can you confirm that my last assumption (3) was wrong because the gateway applies only to outgoing traffic from the interface and not to the replies (managed by states and routing table). Routing table priorize local attached networks and those can never be overridden by a static route

                So only fix, since cbs350 cannot do NAT, is to route on pfsense or DHCP outside it
                Unless the feature to enable kea DHCP feature to serve pools outside of the directly attached interfaces is once implemented

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @phil80
                  last edited by

                  @phil80 the correct setup for routing traffic via a downstream router is via a transit network. This would eliminate any asymmetrical traffic flow.

                  The cbs350 can do dhcp - so run dhcp server on it for the networks behind it. Or spin up some other dhcp server that can do scopes for network not attached and then setup relay/ip helper on your cbs switch.

                  https://www.cisco.com/c/en/us/td/docs/switches/lan/csbms/CBS_250_350/Administration-Guide/cbs-350/ipv4-configuration.html#ID-00001836

                  As to kea supporting that - I do believe that kea at some point will enable that. ISC dhcp could do that - but feature was never implemented into pfsense.. Same might be for kea, not sure. I don't recall seeing that as an option as of yet. But maybe at some point.

                  My take on dhcp in your router has always been its a simple solution for simple networks/needs - if you need more advanced abilities with your dhcp server it prob shouldn't be on your firewall/router anyway.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                  P 1 Reply Last reply Reply Quote 0
                  • P Offline
                    phil80 @johnpoz
                    last edited by phil80

                    @johnpoz
                    Thank you
                    Can I keep the transit VLAN rules that filter and NAT redirect DHCP requests flowing through transit VLAN in pfsense ? This would ensure DOT is done from pfsense and restrict some VLANs to Opendns servers.

                    Can I also keep the DNS resolver and use the transit address in pfsense to expose DNS and NTP services to the VLANs ?

                    I don't see a reason it won't if I set the source address of the rule to an alias with the VLANs subnet (192.168.10.1/24)

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator @phil80
                      last edited by

                      @phil80 sure you can clients behind your 350 can get to anywhere they want that are allowed by your rules on your transit network. So if you want to point them to some dns or dot server or ntp. And sure you could provide dns/ntp on your transit network interface on pfsense, or they could point to any other dns/ntp server on your network they can get to.

                      As to redirecting dhcp via relay/helper on pfsense - not sure about that for downstream networks. But that ip helper should really be on the 350 that is directly attached to the network behind it.

                      dhcp would never get to pfsense transit interface to be relayed unless you were doing that on your 350. So Not sure what the point of sending that to pfsense transit IP, just to be sent on again to your dhcp server hosting multiple scopes. You would just send them to the dhcp server IP doing that right on your 350.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                      P 1 Reply Last reply Reply Quote 0
                      • P Offline
                        phil80 @johnpoz
                        last edited by

                        @johnpoz
                        Thank you for the clarifications
                        I finally opted to route everything on pfsense and remove SVIs on switch. It's so much easier than to manage the ACLs on switch

                        If I end up needing more L3 switching throughoutput on some vlans, I can always try a hybrid setup with static routes on pfsense and running the dhcp server on the switch for those vlans

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.