• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED] Policy-Based Routing Not Consistently Going Out the Specified Gateway

Scheduled Pinned Locked Moved OpenVPN
42 Posts 4 Posters 10.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    Derelict LAYER 8 Netgate
    last edited by Oct 17, 2017, 1:41 AM

    pass  in  quick  on $LAN  $GWPIA_TX_CHI inet proto tcp  from any to $Facebook port 443  tag "NO_WAN_EGRESS" tracker 1422073736 flags S/SA keep state  label "USER_RULE: Allow Facebook"
    pass  in  quick  on $LAN inet proto tcp  from any to $CloudFlare port $HTTP_HTTPS tracker 1422073738 flags S/SA keep state  label "USER_RULE: CloudFlare"
    pass  in log  quick  on $LAN inet from 192.168.100.103  to <negate_networks>tracker 10000001 keep state  label "NEGATE_ROUTE: Negate policy routing for destination"
    pass  in log  quick  on $LAN  $GWWANGW inet from 192.168.100.103 to any tracker 1505701172 keep state  label "USER_RULE: Asus Tablet Out Naked WAN"

    Anything at $Facebook/443 or $CloudFlare/$HTTP_HTTPS will not match your source 192.168.100.103 rules. That is probably your problem.

    Put the most specific rules at the top.</negate_networks>

    Chattanooga, Tennessee, USA
    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
    Do Not Chat For Help! NO_WAN_EGRESS(TM)

    1 Reply Last reply Reply Quote 0
    • F
      Finger79
      last edited by Oct 17, 2017, 3:23 AM

      It was that damned CloudFlare rule.
      I re-ran the list of places that previously showed the VPN IP and they all reported the real WAN IP as expected.

      I really hope this consistently fixes it.  I'll update the thread if it doesn't fix it after I've pulled some hair out.

      (BTW, those Facebook IPs are straight from Facebook so only include their CIDR blocks and nobody else.  Back when that info was public.)

      Shows VPN IP
      TorGuard.net –> Shows real IP :)
      DuckDuckGo "What is my IP" --> Shows real IP :)
      whatismyipaddress.com --> Shows real IP :)
      BearsMyIP.com --> Shows real IP :)
      ipchicken.com --> Shows real IP :)
      ipaddress.pro --> Shows real IP :)

      Anecdotally, this also tells me just how many sites are CloudFlare customers (at least the free account).  Holy crap it's a lot.

      1 Reply Last reply Reply Quote 0
      41 out of 42
      • First post
        41/42
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received