Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Order of routing

    Scheduled Pinned Locked Moved Routing and Multi WAN
    17 Posts 4 Posters 883 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • tinfoilmattT Offline
      tinfoilmatt
      last edited by tinfoilmatt

      What, if anything, have you done with outbound NAT?

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @tinfoilmatt
        last edited by

        @tinfoilmatt
        I haven't used outbound NAT in this correlation and it shouldn't be necessary in this case.
        The TO wants to route out traffic to a certain destination to the WAN gateway. There should be already an existing rule on the WAN (automatic) which handles this traffic.

        tinfoilmattT 1 Reply Last reply Reply Quote 0
        • tinfoilmattT Offline
          tinfoilmatt @viragomann
          last edited by tinfoilmatt

          @viragomann said in Order of routing:

          There should be already an existing rule on the WAN (automatic) which handles this traffic.

          If OP wants to keep bashing their head up against your initial advice (i.e., "routing is done in the kernel and overrules any other routes"), sure.

          Strong suggestion to use "Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)" radio under Firewall / NAT / Outbound, @Lillefjer, and ensure desired config. What you want to do should be possible with a translation rule on the IPsec interface.

          V 1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann @tinfoilmatt
            last edited by

            @tinfoilmatt said in Order of routing:

            What you want to do should be possible with a translation rule on the IPsec interface.

            Translating to which IP address?
            An IPSec tunnel has no IP at all.

            @Lillefjer said in Order of routing:

            have a VPN tunnel with a remote network 10.0.0.0/8, but I have a single host 10.10.10.248 that I would like to have out of the WAN interface

            So 10.10.10.248 shouldn't be routed over the IPSec tunnel, but to the WAN gateway.
            Normally pfSense has an automatically generated outbound NAT rule on the WAN, which will translate this traffic to the WAN address.
            So why do you think, that there is any need for a manual rule?

            tinfoilmattT 1 Reply Last reply Reply Quote 0
            • L Offline
              Lillefjer @viragomann
              last edited by

              @viragomann I agree on the 10.0.0.0/8 but that is how the customer wants it. They have a huge network and need to reach our servers.

              This pfsense firewall is behind our datacenter firewall, so this firewalls WAN is connected to the datacenter firewall and should be able to connec to 10.10.10.248 which is our Opsview monitor host. But the IPSEC tunnel forces all 10.0.0.0/8 traffic our the enc0 interface.

              Another strange thing is, i have tried to make a outbound nat rule on the LAN interface, saying that traffik FROM 10.10.10.248 should be translated to the firewalls LAN adress. So the server see the firewall LAN address as src host and not the 10.10.10.248. But that didnt work either. I could see the trafik inter WAN interface but then i just disappered in the firewall.

              Tomorrow i will recap all the thing i have tried so far and post it here

              tinfoilmattT 1 Reply Last reply Reply Quote 1
              • tinfoilmattT Offline
                tinfoilmatt @viragomann
                last edited by

                @viragomann said in Order of routing:

                Translating to which IP address?
                An IPSec tunnel has no IP at all.

                Source 10.10.10.248/destination 'any' translated to 'LAN Address', perhaps? Would that not get those packets off the IPsec VTI and onto the LAN interface—and keep state? Not saying it's not kludgy, but like you said, we're wrestling with the kernel here!

                Plus there's a couple other ways I could think of to try there, with manually created rules (and no pesky hidden, automatic rules to confound me).

                @viragomann said in Order of routing:

                So why do you think, that there is any need for a manual rule?

                Some administrators prefer more granular control and/or are more paranoid than others. 😉

                1 Reply Last reply Reply Quote 0
                • tinfoilmattT Offline
                  tinfoilmatt @Lillefjer
                  last edited by tinfoilmatt

                  @Lillefjer Could try creating a VIP (Firewall / Virtual IPs) on the LAN interface, and translate 10.10.10.248-sourced traffic's destination to it. Again, like you're aware—just to get those 10.10.10.248-sourced packets out of the tunnel.

                  Now we're getting really kludgy, though.

                  Could also try to translate to WAN address to make sure you're bypassing LAN interface's routing table in case it sees that 10.0.0.0/8 route. Just make sure you then also include 10.10.10.248 in the source addresses that are translated to WAN address when egressing WAN interface outbound (i.e., 'standard' outbound NAT).

                  1 Reply Last reply Reply Quote 0
                  • keyserK Offline
                    keyser Rebel Alliance @Lillefjer
                    last edited by

                    @Lillefjer There is a MUCH simpler solution - simply bypass (exclude) that IP from the IPsec policy based route. That will cause it to follow the standard routing on your pfSense (leave on the expected interface).

                    It’s a MUCH overlooked feature in the VPN -> IPSEC -> Advanced tab. Simply enter the IPs to exclude from the policy and restart IPsec, and you are done :-)

                    ca59c321-e003-4e28-b119-a41104cbd33f-image.png

                    Love the no fuss of using the official appliances :-)

                    tinfoilmattT L V 3 Replies Last reply Reply Quote 3
                    • tinfoilmattT Offline
                      tinfoilmatt @keyser
                      last edited by

                      @keyser Daaaaang! Would 'up' that twice if I could, lol.

                      Please say you hadn't yet seen this setting, OP!

                      1 Reply Last reply Reply Quote 1
                      • L Offline
                        Lillefjer @keyser
                        last edited by

                        @keyser OMFG!!

                        It worked! The server in side (10.38.24.100) can ping the Opsview server a 10.10.10.248 via the WAN internface and not the IPSec.

                        Why didnt i know that filter?!!

                        I think that will solve all my problems.

                        keyserK 1 Reply Last reply Reply Quote 1
                        • keyserK Offline
                          keyser Rebel Alliance @Lillefjer
                          last edited by

                          @Lillefjer Just happy to help 👍😊

                          Love the no fuss of using the official appliances :-)

                          1 Reply Last reply Reply Quote 0
                          • L Offline
                            Lillefjer
                            last edited by

                            Everything works now.

                            Thanks alot everyone :)

                            1 Reply Last reply Reply Quote 1
                            • V Offline
                              viragomann @keyser
                              last edited by

                              @keyser said in Order of routing:

                              There is a MUCH simpler solution - simply bypass (exclude) that IP from the IPsec policy based route.

                              Wow. Didn't know this as well.
                              Thx.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.