set reply-to on rules for an interface group

  • hello

    i'm considering incoming traffic on a dual wan setup.
    each interface has it's own gateway set.
    some of the traffic is nated using regular nat, some of it uses the builtin load balancer ( no haproxy or other software ).

    if i setup a rule per interface to allow traffic, pfsense properly replies on each of the corresponding link.

    if i setup the same rule on an interface group or in floating rules, pfsense replies on the default gateway or gateway group.

    any way to make pfense answer on the incoming interface without setting each rule on each interface ( which in my case would produce hundreds of rules )


  • Rebel Alliance Developer Netgate

    It's not possible, because with a group, how is it supposed to know which gateway to send it back to?

    If we add a manual reply-to setting on the rule, then you'd still need to duplicate the rule, one per interface, with an appropriate reply-to gateway set, so it doesn't save you anything.

    Groups aren't macros to make multiple rules for each member interface, they are single rules that apply to multiple interfaces.

  • thanks for your help.

    actually, in my case, the easier way is to let pfsense create automagic associated rules. i was hoping to separate and delegate the nat rules to other people while managing the firewall rules which is why i wanted this feature. that's a no-go until/unless i create a rules generator.

    let's turn it into a nice feature request ;) there is no reason why pf would not be able to store the router's mac and incoming interface and reply-to accordingly ^^ ( i used this setup on some hacked config some years ago with a single interface but multiple gateways which was very convenient. i recollect on an ipfw+ipf based setup on bsd 7 and i actually though it would be builtin pf )

    see you around

Log in to reply