Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VTI + Policy Routing/Gateways - Not Supported?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    1 Posts 1 Posters 108 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ink
      last edited by

      Hello all,

      I'm trying to use PFSense with a somewhat complex setup to bear with me....

      I have a PFSense box connected to a cable modem with the standard WAN-style IP address assigned. I have a VTI-based IPSec connection to a remote endpoint. The VTI tunnel link network is also publicly-routable IPv4 network with additional public IPv4 addresses passing through the VTI connection to other networks "inside" PFSense. Additionally, this will also pass IPv6 addressing carried over 6in4 tunnels over the VTI.
      In the IPSec rule chain, I have a rule that flags all ICMP traffic and all Type 41 (6in4) traffic with the alternative VTI interface gateway.

      However if from a host on the Internet pings the PFsense side of the VTI tunnel /30, PFSense tries to return the traffic out of the WAN interface and not the IPSec/VTI interface. This itself wouldn't be a problem necessarily except that the same behavior is seen with the 6in4 tunneling of the IPv6 ranges. Since the tunnel IP range is public IPv4, the return traffic for the 6in4 packets are also going out the WAN Interface.

      Do VTI-based interfaces not work with the "gateway" option in the rules matching? I've tried a number of combinations including floating rules in the "out" direction and a number of other strategies all without success.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.