Policy routing troubles
-
Here is my problem,
on my LAN interface I need to route to a specific IP 168.63.129.16 via a gateway on the LAN side
on my WAN interface I need to route to the same IP 168.63.129.16 via a gateway on the WAN side
this should be possible because the gateway on each side can reach that IP 168.63.129.16 from either side.hn1 LAN = 10.111.253.181
hn0 WAN = 10.111.252.7I setup policy based routes via the firewall rules. the LAN interface never reply. 10.111.253.181
[2.4.2-RELEASE][admin@azufw02]/root: tcpdump -n -i hn1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on hn1, link-type EN10MB (Ethernet), capture size 262144 bytes 15:20:34.369905 IP 168.63.129.16.59791 > 10.111.253.181.22: Flags [SEW], seq 4102397329, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0 15:20:34.387673 IP 168.63.129.16.59792 > 10.111.253.181.22: Flags [SEW], seq 297492948, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0 15:20:34.939682 IP 10.111.253.132.47782 > 40.85.190.91.443: Flags [s], seq 1867999283, win 29200, options [mss 1418,sackOK,TS val 17026736 ecr 0,nop,wscale 7], length 0 15:20:37.370926 IP 168.63.129.16.59791 > 10.111.253.181.22: Flags [SEW], seq 4102397329, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0 15:20:37.388983 IP 168.63.129.16.59792 > 10.111.253.181.22: Flags [SEW], seq 297492948, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0 pfctl -sr | grep -e reply-to -e route-to pass out route-to (hn0 10.111.252.1) inet from 10.111.252.7 to ! 10.111.252.0/28 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass in quick on hn0 route-to (hn0 10.111.252.7) inet from <azure_load_balancer_healthcheck> to <hn0_wan> flags S/SA keep state label "USER_RULE: WAN_to_Azure_Load_balancer_Health" pass in quick on hn0 route-to (hn1 10.111.253.177) inet from any to <all_lan_addresses> flags S/SA keep state label "USER_RULE" pass in quick on hn0 reply-to (hn0 10.111.252.1) inet proto icmp from any to 10.111.252.7 keep state label "USER_RULE: Default ICMP rule" pass in quick on hn0 reply-to (hn0 10.111.252.1) inet proto tcp from any to 10.111.252.7 port = ssh flags S/SA keep state label "USER_RULE: Default SSH rule" pass in quick on hn0 reply-to (hn0 10.111.252.1) inet proto tcp from any to 10.111.252.7 port = https flags S/SA keep state label "USER_RULE: Default HTTPS rule" pass in quick on hn0 reply-to (hn0 10.111.252.1) inet proto tcp from any to 10.111.252.7 port = http flags S/SA keep state label "USER_RULE: Default HTTP rule" pass in quick on hn1 route-to (hn1 10.111.253.177) inet from <azure_load_balancer_healthcheck> to <hn1_lan> flags S/SA keep state label "USER_RULE: LAN_to_Azure_Load_balancer_Health" pass in quick on hn1 route-to (hn1 10.111.253.177) inet from <web_subnet> to 10.111.253.181 flags S/SA keep state label "USER_RULE" pass in quick on hn1 route-to (hn0 10.111.252.7) inet from <all_lan_addresses> to any flags S/SA keep state label "USER_RULE" pass in quick on hn1 route-to (hn0 10.111.252.1) inet from <vpn_clients> to any flags S/SA keep state label "USER_RULE" [/s]</vpn_clients></all_lan_addresses></web_subnet></hn1_lan></azure_load_balancer_healthcheck></all_lan_addresses></hn0_wan></azure_load_balancer_healthcheck>
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.