[SOLVED] Policy-Based Routing Not Consistently Going Out the Specified Gateway
-
pass in quick on $LAN $GWPIA_TX_CHI inet proto tcp from any to $Facebook port 443 tag "NO_WAN_EGRESS" tracker 1422073736 flags S/SA keep state label "USER_RULE: Allow Facebook"
pass in quick on $LAN inet proto tcp from any to $CloudFlare port $HTTP_HTTPS tracker 1422073738 flags S/SA keep state label "USER_RULE: CloudFlare"
pass in log quick on $LAN inet from 192.168.100.103 to <negate_networks>tracker 10000001 keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in log quick on $LAN $GWWANGW inet from 192.168.100.103 to any tracker 1505701172 keep state label "USER_RULE: Asus Tablet Out Naked WAN"Anything at $Facebook/443 or $CloudFlare/$HTTP_HTTPS will not match your source 192.168.100.103 rules. That is probably your problem.
Put the most specific rules at the top.</negate_networks>
-
It was that damned CloudFlare rule.
I re-ran the list of places that previously showed the VPN IP and they all reported the real WAN IP as expected.I really hope this consistently fixes it. I'll update the thread if it doesn't fix it after I've pulled some hair out.
(BTW, those Facebook IPs are straight from Facebook so only include their CIDR blocks and nobody else. Back when that info was public.)
Shows VPN IP
TorGuard.net –> Shows real IP :)
DuckDuckGo "What is my IP" --> Shows real IP :)
whatismyipaddress.com --> Shows real IP :)
BearsMyIP.com --> Shows real IP :)
ipchicken.com --> Shows real IP :)
ipaddress.pro --> Shows real IP :)Anecdotally, this also tells me just how many sites are CloudFlare customers (at least the free account). Holy crap it's a lot.