Policy based routing for traffic from pfSense itself ?



  • Hello,

    I try to setup a new outer firewall for our company and because we had this setup running with a barracuda firewall, I would like to use the same configuration again with pfSense. So the idea was to use no direct routing (no static route) between the outer and inner firewall. To achive this we use policy based routing and even the rules work fine for all traffic that "flows" through the firewall, we are unable to policy route the traffic that comes directly from the pfsense itself (e.g. ping, WebMGMT reply packets).

    So would it be possible to apply a policy route with an other gateway, on traffic that comes from the pfsense itself or is this traffic not affected by firewall rules and can only be routed via static routing?

    Regards,

    pfs-pdf



  • Not possible unfortunately. Because of certain limitations in the operating system used (FreeBSD) policy routing can be applied only to traffic that actually enters a network interface from the outside, locally generated traffic never enters an interface and can't be tagged for alternate routing.



  • Pity, but I expected that already. I will work around it with some NAT Rules on the innner firewall.

    Thank you



  • I think another limitation is that also an inbound PBR isn't possible too? I thought I can catch the reply packets with a floating rule but it seems not to work or is there any trick I didn't found yet?

    e.g. Traffic is coming from an inner firewall that sets the GW to the pfSense with PBR. pfSense has the default GW route and can send to internet. For the way back pfSense needs to set an GW with PBR…

    Regards,

    pfs-pdv



  • No, that's not policy routing at all. What you need is a normal static route on pfSense with the WAN address of the inner router as the target for the traffic that going to the LAN of the inner firewall. Static routes are set at System->Routing->Static Routes.

    Additionally I hope you're using a transit network between pfSense and inner firewall with no hosts on it? Otherwise you have a broken network setup with asymmetric routing.



  • @kpa:

    No, that's not policy routing at all. What you need is a normal static route on pfSense with the WAN address of the inner router as the target for the traffic that going to the LAN of the inner firewall. Static routes are set at System->Routing->Static Routes.

    Actually thats exactly what I try to admit :)

    @kpa:

    Additionally I hope you're using a transit network between pfSense and inner firewall with no hosts on it? Otherwise you have a broken network setup with asymmetric routing.

    Yeah, a nice firewall transit network :)

    My understanding of policy based routing, comes from Barracuda and Juniper. There it works on the routing and not on firewall level. So both ways are possible, in- and outbound. Posted a screen as an example.





Log in to reply