Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Policy routing troubles

    Routing and Multi WAN
    1
    1
    378
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tatroc
      last edited by

      Here is my problem,

      on my LAN interface I need to route to a specific IP 168.63.129.16 via a gateway on the LAN side
      on my WAN interface I need to route to the same IP 168.63.129.16 via a gateway on the WAN side
      this should be possible because the gateway on each side can reach that IP 168.63.129.16 from either side.

      hn1 LAN = 10.111.253.181
      hn0 WAN = 10.111.252.7

      I setup policy based routes via the firewall rules. the LAN interface never reply. 10.111.253.181

      
[2.4.2-RELEASE][admin@azufw02]/root: tcpdump -n -i hn1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on hn1, link-type EN10MB (Ethernet), capture size 262144 bytes
15:20:34.369905 IP 168.63.129.16.59791 > 10.111.253.181.22: Flags [SEW], seq 4102397329, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
15:20:34.387673 IP 168.63.129.16.59792 > 10.111.253.181.22: Flags [SEW], seq 297492948, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
15:20:34.939682 IP 10.111.253.132.47782 > 40.85.190.91.443: Flags [s], seq 1867999283, win 29200, options [mss 1418,sackOK,TS val 17026736 ecr 0,nop,wscale 7], length 0
15:20:37.370926 IP 168.63.129.16.59791 > 10.111.253.181.22: Flags [SEW], seq 4102397329, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
15:20:37.388983 IP 168.63.129.16.59792 > 10.111.253.181.22: Flags [SEW], seq 297492948, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0

pfctl -sr | grep -e reply-to -e route-to

pass out route-to (hn0 10.111.252.1) inet from 10.111.252.7 to ! 10.111.252.0/28 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on hn0 route-to (hn0 10.111.252.7) inet from <azure_load_balancer_healthcheck> to <hn0_wan> flags S/SA keep state label "USER_RULE: WAN_to_Azure_Load_balancer_Health"
pass in quick on hn0 route-to (hn1 10.111.253.177) inet from any to <all_lan_addresses> flags S/SA keep state label "USER_RULE"
pass in quick on hn0 reply-to (hn0 10.111.252.1) inet proto icmp from any to 10.111.252.7 keep state label "USER_RULE: Default ICMP rule"
pass in quick on hn0 reply-to (hn0 10.111.252.1) inet proto tcp from any to 10.111.252.7 port = ssh flags S/SA keep state label "USER_RULE: Default SSH rule"
pass in quick on hn0 reply-to (hn0 10.111.252.1) inet proto tcp from any to 10.111.252.7 port = https flags S/SA keep state label "USER_RULE: Default HTTPS rule"
pass in quick on hn0 reply-to (hn0 10.111.252.1) inet proto tcp from any to 10.111.252.7 port = http flags S/SA keep state label "USER_RULE: Default HTTP rule"
pass in quick on hn1 route-to (hn1 10.111.253.177) inet from <azure_load_balancer_healthcheck> to <hn1_lan> flags S/SA keep state label "USER_RULE: LAN_to_Azure_Load_balancer_Health"
pass in quick on hn1 route-to (hn1 10.111.253.177) inet from <web_subnet> to 10.111.253.181 flags S/SA keep state label "USER_RULE"
pass in quick on hn1 route-to (hn0 10.111.252.7) inet from <all_lan_addresses> to any flags S/SA keep state label "USER_RULE"
pass in quick on hn1 route-to (hn0 10.111.252.1) inet from <vpn_clients> to any flags S/SA keep state label "USER_RULE"

[/s]</vpn_clients></all_lan_addresses></web_subnet></hn1_lan></azure_load_balancer_healthcheck></all_lan_addresses></hn0_wan></azure_load_balancer_healthcheck>
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.