Policy Based Routing and traffic leakage



  • Hi,

    I have a really weird issue (and setup as well).

    There is tunnel to a distant location. I need several local hosts to send their traffic through their pfsense gateway via that tunnel and get to Internet from remote location only. I also need to have some ports being forwarded in that remote location, so external hosts could get to my local hosts via that tunnel.

    First part was an easy task. The tunnel is up. The firewall rule on LAN interface sends all the packets to tunnel and they eventually go outside in remote location. The reverse traffic is fine as well. This one works fine.

    The problem is though with the traffic, that was initiated from external hosts to remote public IP, that has some ports forwarded to my local hosts. The SYN packets from Internet hit remote public IP, then they go to the tunnel and reach the local servers. And this is when it becomes weird. When servers reply with SYN ACK packets, the packets are not forwarded to the the tunnel as the firewall policy on LAN requires them to. These packets are being sent via WAN. I can see that in tcpdump capture. So somehow pfsense disregards all the policies and follows the global routing table, when the traffic is not initiated by these servers, but by remote hosts in Internet.

    I'm at 2.4.4-RELEASE-p3 (amd64). Please let me know if you need more details.



  • Here is what I'm going to try.

    1. Create PBR for any WAN traffic as well.
    2. Remove default gateway from WAN.

    This should leave no choice for OS.



  • It didn't help. Any traffic initiated from external sources via that tunnel ends up being responded via WAN interface. Any ideas?


Log in to reply