VTI + Policy Routing/Gateways - Not Supported?



  • Hello all,

    I'm trying to use PFSense with a somewhat complex setup to bear with me....

    I have a PFSense box connected to a cable modem with the standard WAN-style IP address assigned. I have a VTI-based IPSec connection to a remote endpoint. The VTI tunnel link network is also publicly-routable IPv4 network with additional public IPv4 addresses passing through the VTI connection to other networks "inside" PFSense. Additionally, this will also pass IPv6 addressing carried over 6in4 tunnels over the VTI.
    In the IPSec rule chain, I have a rule that flags all ICMP traffic and all Type 41 (6in4) traffic with the alternative VTI interface gateway.

    However if from a host on the Internet pings the PFsense side of the VTI tunnel /30, PFSense tries to return the traffic out of the WAN interface and not the IPSec/VTI interface. This itself wouldn't be a problem necessarily except that the same behavior is seen with the 6in4 tunneling of the IPv6 ranges. Since the tunnel IP range is public IPv4, the return traffic for the 6in4 packets are also going out the WAN Interface.

    Do VTI-based interfaces not work with the "gateway" option in the rules matching? I've tried a number of combinations including floating rules in the "out" direction and a number of other strategies all without success.


Log in to reply