Odd Policy Routing Behavior between Protocols to same host

  • Hi,
    I have setup policy routing so that all IPv4 traffic will route over a gateway group of 5 open vpn clients to AirVPN. The exception to this is to route netflix traffic out of the WAN interface.

    I noticed the other day when I was downloading an ubuntu iso, that it was getting downloaded via the WAN interface. When I ping or trace route to mirror.pnl.gov it will go over the vpn gateway group, but when I use curl to download the iso (tcp) it is getting routed via the WAN. I can see this also when using iftop on each interface.

    I am unable to see throughput changing on any of the rules I have setup on the rules page for the LAN so I am unsure why it would be routing only the tcp to that host via the WAN.

    Does anyone have any suggestions in how I might go about debugging this? Is there a tool to debug the pf rules to see which rule a connection would match on?

    Thanks in advance.

  • Rebel Alliance Developer Netgate

    You can take the output of "pfctl -vvss" (verbosely dump all states) and "pfctl -vvsr" (verbosely dump all rules) and then find the corresponding state for the connection in the vvss output, which will list a rule number that made the state. Take that number and look for @ <num>in the vvsr output.</num>

  • Thanks jimp. It turns out it is the squid proxy causing this. When I disable it, it works correctly.

    How can I configure squids outbound connections to route through the vpn gateway?

  • Rebel Alliance Developer Netgate

    That's a question for the cache/proxy board. There isn't really a great way to make that happen selectively, unfortunately, but IIRC some people there have come up with workarounds for certain cases.