Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Enable reply-to on non-NAT rules?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Vinch
      last edited by Vinch

      Hello,

      I'm having trouble ensuring responses leave the router through the interface the original request was received from. The responses always leave through the default gateway attached to router 1 which is no good (seen via packet capture).

      Static IP WAN -> pfSense2 <-> Wireless link 192.168.50.0/29 <-> pfSense1 <-> Servers 10.17.51.0/24

      Not depicted is a WAN with a dynamic IP on pfSense1
      Running pfSense 2.4.4-RELEASE-p2 on both

      I have a rule on router 1 to direct outgoing connections from 10.17.51.x via the gateway on the wireless link which works correctly (I can surf the internet from servers using the NAT'ed public static IP).

      I am trying to setup a port forward on the static IP toward a server in 10.17.51.x but because the replies exit the router1's default gateway, they get lost.

      Is there a way to enable or force enable reply-to for non-NAT rules? (Looking at /tmp/rules.debug, I only see reply-to enabled for rules that use NAT)

      Any other way of manipulating routing of replies?

      Thanks in advance!
      Vincent

      V 1 Reply Last reply Reply Quote 0
      • V
        Vinch @Vinch
        last edited by

        I manually edited the rules.debug to add the reply-to to the specific rule.

        After reloading using pfctl -f /tmp/rules.debug, my port forward is working as expected.

        In the GUI, I only see the option "Disable reply-to Disable auto generated reply-to for this rule." but no way of actually forcing a rule to be generated.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          All WAN-type interfaces get reply-to on their rules, not just NAT.

          You probably are missing a gateway selection on your wireless link interface settings.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          V 1 Reply Last reply Reply Quote 1
          • V
            Vinch @jimp
            last edited by

            @jimp
            Thank you for your reply. You are correct, I didn't enable that because of the documentation warns about doing so on LAN interfaces.
            In my case, this interface gives me access to some LAN subnets so I was counting on static routes. It didn't really cross my mind to add an upstream gateway as a potential WAN interface. I confirm your solution resolved the issue.

            I really appreciate the work you guys put in this software and the time you take to answer questions in the forum. Thumbs up!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.