Enable reply-to on non-NAT rules?
-
Hello,
I'm having trouble ensuring responses leave the router through the interface the original request was received from. The responses always leave through the default gateway attached to router 1 which is no good (seen via packet capture).
Static IP WAN -> pfSense2 <-> Wireless link 192.168.50.0/29 <-> pfSense1 <-> Servers 10.17.51.0/24
Not depicted is a WAN with a dynamic IP on pfSense1
Running pfSense 2.4.4-RELEASE-p2 on bothI have a rule on router 1 to direct outgoing connections from 10.17.51.x via the gateway on the wireless link which works correctly (I can surf the internet from servers using the NAT'ed public static IP).
I am trying to setup a port forward on the static IP toward a server in 10.17.51.x but because the replies exit the router1's default gateway, they get lost.
Is there a way to enable or force enable reply-to for non-NAT rules? (Looking at /tmp/rules.debug, I only see reply-to enabled for rules that use NAT)
Any other way of manipulating routing of replies?
Thanks in advance!
Vincent -
I manually edited the rules.debug to add the reply-to to the specific rule.
After reloading using pfctl -f /tmp/rules.debug, my port forward is working as expected.
In the GUI, I only see the option "Disable reply-to Disable auto generated reply-to for this rule." but no way of actually forcing a rule to be generated.
-
All WAN-type interfaces get reply-to on their rules, not just NAT.
You probably are missing a gateway selection on your wireless link interface settings.
-
@jimp
Thank you for your reply. You are correct, I didn't enable that because of the documentation warns about doing so on LAN interfaces.
In my case, this interface gives me access to some LAN subnets so I was counting on static routes. It didn't really cross my mind to add an upstream gateway as a potential WAN interface. I confirm your solution resolved the issue.I really appreciate the work you guys put in this software and the time you take to answer questions in the forum. Thumbs up!