Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Policy Based Routing and traffic leakage

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 1 Posters 180 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NetAche
      last edited by

      Hi,

      I have a really weird issue (and setup as well).

      There is tunnel to a distant location. I need several local hosts to send their traffic through their pfsense gateway via that tunnel and get to Internet from remote location only. I also need to have some ports being forwarded in that remote location, so external hosts could get to my local hosts via that tunnel.

      First part was an easy task. The tunnel is up. The firewall rule on LAN interface sends all the packets to tunnel and they eventually go outside in remote location. The reverse traffic is fine as well. This one works fine.

      The problem is though with the traffic, that was initiated from external hosts to remote public IP, that has some ports forwarded to my local hosts. The SYN packets from Internet hit remote public IP, then they go to the tunnel and reach the local servers. And this is when it becomes weird. When servers reply with SYN ACK packets, the packets are not forwarded to the the tunnel as the firewall policy on LAN requires them to. These packets are being sent via WAN. I can see that in tcpdump capture. So somehow pfsense disregards all the policies and follows the global routing table, when the traffic is not initiated by these servers, but by remote hosts in Internet.

      I'm at 2.4.4-RELEASE-p3 (amd64). Please let me know if you need more details.

      1 Reply Last reply Reply Quote 0
      • N
        NetAche
        last edited by

        Here is what I'm going to try.

        1. Create PBR for any WAN traffic as well.
        2. Remove default gateway from WAN.

        This should leave no choice for OS.

        1 Reply Last reply Reply Quote 0
        • N
          NetAche
          last edited by

          It didn't help. Any traffic initiated from external sources via that tunnel ends up being responded via WAN interface. Any ideas?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.