Source-routing and NAT port forwarding issue
greg01re last edited by
In my pfSense on APU2 setup, the packets coming from a particular host in the LAN
are source-routed to a VPN interface, thanks to a LAN rule matching the source IP.
The packets are then NATed and go through the VPN. This is working fine, validating
the source-routing mecanism.
For a service on the inside host, a port forward from the VPN interface is needed.
I've added the port forward rule along with its linked rule, and the packets coming from
the VPN on the defined port are reaching the inside host.
TCP sessions are not getting established though. It happens that in response to the
client's SYN packet, the inside host effectively sends the SYN/ACK, but :
This SYN/ACK isn't source-routed to the VPN interface, but goes to the default, as if the
source-routing rule was not matched.
The "Bypass firewall rules for traffic on the same interface" doesn't work, and it makes
sense because the SYN/ACK packet isn't hitting the proper interface (VPN one).
Do i miss something obvious ? Is there a way to "trace" the packets and understand why
the SYN/ACK one wouldn't by matched by the source-routing rule, although it obvisouly
matches the source IP ?