Policy routing troubles



  • Here is my problem,

    on my LAN interface I need to route to a specific IP 168.63.129.16 via a gateway on the LAN side
    on my WAN interface I need to route to the same IP 168.63.129.16 via a gateway on the WAN side
    this should be possible because the gateway on each side can reach that IP 168.63.129.16 from either side.

    hn1 LAN = 10.111.253.181
    hn0 WAN = 10.111.252.7

    I setup policy based routes via the firewall rules. the LAN interface never reply. 10.111.253.181

    
    [2.4.2-RELEASE][admin@azufw02]/root: tcpdump -n -i hn1
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on hn1, link-type EN10MB (Ethernet), capture size 262144 bytes
    15:20:34.369905 IP 168.63.129.16.59791 > 10.111.253.181.22: Flags [SEW], seq 4102397329, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
    15:20:34.387673 IP 168.63.129.16.59792 > 10.111.253.181.22: Flags [SEW], seq 297492948, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
    15:20:34.939682 IP 10.111.253.132.47782 > 40.85.190.91.443: Flags [s], seq 1867999283, win 29200, options [mss 1418,sackOK,TS val 17026736 ecr 0,nop,wscale 7], length 0
    15:20:37.370926 IP 168.63.129.16.59791 > 10.111.253.181.22: Flags [SEW], seq 4102397329, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
    15:20:37.388983 IP 168.63.129.16.59792 > 10.111.253.181.22: Flags [SEW], seq 297492948, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
    
    pfctl -sr | grep -e reply-to -e route-to
    
    pass out route-to (hn0 10.111.252.1) inet from 10.111.252.7 to ! 10.111.252.0/28 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on hn0 route-to (hn0 10.111.252.7) inet from <azure_load_balancer_healthcheck> to <hn0_wan> flags S/SA keep state label "USER_RULE: WAN_to_Azure_Load_balancer_Health"
    pass in quick on hn0 route-to (hn1 10.111.253.177) inet from any to <all_lan_addresses> flags S/SA keep state label "USER_RULE"
    pass in quick on hn0 reply-to (hn0 10.111.252.1) inet proto icmp from any to 10.111.252.7 keep state label "USER_RULE: Default ICMP rule"
    pass in quick on hn0 reply-to (hn0 10.111.252.1) inet proto tcp from any to 10.111.252.7 port = ssh flags S/SA keep state label "USER_RULE: Default SSH rule"
    pass in quick on hn0 reply-to (hn0 10.111.252.1) inet proto tcp from any to 10.111.252.7 port = https flags S/SA keep state label "USER_RULE: Default HTTPS rule"
    pass in quick on hn0 reply-to (hn0 10.111.252.1) inet proto tcp from any to 10.111.252.7 port = http flags S/SA keep state label "USER_RULE: Default HTTP rule"
    pass in quick on hn1 route-to (hn1 10.111.253.177) inet from <azure_load_balancer_healthcheck> to <hn1_lan> flags S/SA keep state label "USER_RULE: LAN_to_Azure_Load_balancer_Health"
    pass in quick on hn1 route-to (hn1 10.111.253.177) inet from <web_subnet> to 10.111.253.181 flags S/SA keep state label "USER_RULE"
    pass in quick on hn1 route-to (hn0 10.111.252.7) inet from <all_lan_addresses> to any flags S/SA keep state label "USER_RULE"
    pass in quick on hn1 route-to (hn0 10.111.252.1) inet from <vpn_clients> to any flags S/SA keep state label "USER_RULE"
    
    [/s]</vpn_clients></all_lan_addresses></web_subnet></hn1_lan></azure_load_balancer_healthcheck></all_lan_addresses></hn0_wan></azure_load_balancer_healthcheck>
    

Log in to reply