Routing with floating rules instead of static routes
-
Hi,
Let me explain as better as I can my situation.
I have 2 WAN connexions. Basically, OPT1 is an openvpn connexion, which works sucessfully, so WAN and OPT1 are 2 logical external interfaces. The default gateway is WAN at startup, but it's overrided by openvpn so in normal case the default gateway is OPT1.
Most of the traffic must go to internet through OPT1. But I have to make some connexions go through WAN.
I can make these exceptions work from LAN by adding firewall rules.
But these rules aren't applied for traffic generated from pfsense itself. So I've added some static routes. It works, but I don't like it, because I can't tell when a route must be applied or not.
So I'd prefer to manage routing from pfsense by adding floating rules.
The problem is the following:
OPT1 is my default gateway, if I add a floating rules which sends traffic to WAN, all this traffic is stopped, like if WAN gateway couldn't be found. Of course if I change this static route to send traffic to OPT1, it works.
So it seems floating rules can't override static routes.
My english is not perfect, and my problem hard to explain, so let me try to explain in another way.
The goal is to route traffic from pfsense to internet.
By addind static routes it works.
By adding floating rules it doesn't for other gateways than default gateway.Is this a bug, and how can I expect floating rules do what I want ?
Thanks a lot !
-
It depends on how you do it.
If you choose direction out you have to take into consideration that the traffic has already been natted.
I have been thinking to add a kernel patch to easy people, like you, lifes. But have not yet come close to it. -
@ermal:
It depends on how you do it.
Maybe I'm wrong, so could you tell me how can I do it ?
@ermal:
If you choose direction out you have to take into consideration that the traffic has already been natted.
How come traffic from pfsense can be natted ? I agree for traffic from LAN, but I don't understand why traffic from pfsense itself should be natted. And even if it's the case, how to configure these floating rules ?
-
The problem is we can't specify outgoing interface in floating rules, even if interface is specified in gateway configuration.
As I said, my default gateway is OPT1 so my default outgoing interface is OPT1. When I add a floating rule to make outgoing traffic go to another gateway address, it seems it tries to reach this other gateway through OPT1 anyway.
Please help !
Regards
-
hmm,
u already tried to put each gateway in a group and use it on floating rule?
cya
-
hmm,
u already tried to put each gateway in a group and use it on floating rule?
cya
Good idea, I just tried, that's the same thing :(
-
Here is a result from filter logs:
00:00:14.764128 rule 43/0(match): pass out on ovpnc1: 10.16.XX.XX.24052 > 74.86.XX.XX.80: tcp 40 [bad hdr length 0 - too short, < 20]The problem is here: the rule sends packets to WAN ip address, but through ovpnc1 (OPT1) interface
-
I've just checked /tmp/rules.debug, all seems to be ok:
# Gateways GWGWFBX = " route-to ( em0 192.168.0.254 ) " ... # User-defined rules follow pass out log quick $GWGWFBX from any to 74.86.XX.XX keep state label "USER_RULE"However traffic is not send to em0 but to ovpnc1
I'm pretty sure there is a bug, can any admin answer me ?
Thanks again!