Source-routing and NAT port forwarding issue

  • Hello,

    In my pfSense on APU2 setup, the packets coming from a particular host in the LAN
    are source-routed to a VPN interface, thanks to a LAN rule matching the source IP.
    The packets are then NATed and go through the VPN. This is working fine, validating
    the source-routing mecanism.

    For a service on the inside host, a port forward from the VPN interface is needed.

    I've added the port forward rule along with its linked rule, and the packets coming from
    the VPN on the defined port are reaching the inside host.

    TCP sessions are not getting established though. It happens that in response to the
    client's SYN packet, the inside host effectively sends the SYN/ACK, but :
    This SYN/ACK isn't source-routed to the VPN interface, but goes to the default, as if the
    source-routing rule was not matched.

    The "Bypass firewall rules for traffic on the same interface" doesn't work, and it makes
    sense because the SYN/ACK packet isn't hitting the proper interface (VPN one).

    Do i miss something obvious ? Is there a way to "trace" the packets and understand why
    the SYN/ACK one wouldn't by matched by the source-routing rule, although it obvisouly
    matches the source IP ?

    Thank you