How does tagging works?
-
Hello
I am trying to utilize the tagging function in the advanced section to make policy based routing easier. For example, first there are rules that tags certain traffic I would like to pass (such as destine to port 80, 443, etc), a later rule specify all tagged traffic a non default gateway. Of course I can specify gateway at each individual rule, but this would cost me a lot of time should I need to change the gateway.
Now my question is, since every normal rules have to pick an action from pass/drop/reject, does a tagging rule still follow the principle of "first match wins"? In other words, will packet processing stop at the tagging rule, or will it continue? If it would stop, I guess the only viable place to use tagging is a floating rule without "quick" set?
-
https://www.netgate.com/docs/pfsense/firewall/firewall-rule-processing-order.html
https://www.netgate.com/docs/pfsense/book/firewall/index.html -
The tag won't ever work with rules on the same interface. What you can do is tag as the traffic enters the LAN and then match that tag on an outbound floating rule and take an action there. Most commonly that would be traffic shaping/limiters. You couldn't use that for policy routing.
-
@jimp
Yep found that out the hard way.Do you know any way to utilize existing egress filtering while also do PBR on certain hosts? I know I can write a new complete set of rules for hosts that needs PBR but that is quite a bit of work to setup and maintain.