Policy based routing (PBR) "bleeding" traffic (not preempting static routes consistently)

  • Hi,

    We are experiencing an issue with PBR on our pfsense machine where firewall rules that should be enforcing PBR as well do not route all traffic over the desired interface.
    We are using the machine as an OpenVPN concentrator and have multiple interfaces:

    Destination Gateway Flags Netif Expire
    default "WANGateway" UGS em0.320 UGS em0.20 link#7 U em0.20 link#7 UHS lo0 link#8 U em0.43 link#8 UHS lo0 UGS ovpns1 link#11 UHS lo0 link#11 UH ovpns1

    The OpenVPN machine is doing proxyARP for the entire segment. On the ovpns1 openVPN server instance, we also have firewall rules allowing source to any destination on any port but setting the gateway to PBR traffic over the em0.43 interface instead of the em0.320 or em0.20 interfaces. When doing tcpdump on the em0.20 interface, I get packets sourcing from the ovpns1 interface, shiwch should have all been PBRed to the em0.43 interface. This is not for all traffic, it is only for some types of traffic. ICMP for example is going over the correct interface.

    Did you see this behavior before and how did you fix it? Is this a bug in the pfsense 2.4.4 version? Would upgrading to 2.4.5 fix it?

    21:11:56.063623 IP > UDP, length 112
    21:11:56.166749 IP > UDP, length 96
    21:11:56.168080 IP > UDP, length 112
    21:11:56.481063 IP > UDP, length 112
    21:11:56.584326 IP > UDP, length 96
    21:11:56.585556 IP > UDP, length 112
    21:11:56.906916 IP > UDP, length 112

  • I would examine the rules on your OpenVPN tab and make them explicit otherwise traffic can get matched and sent down a different interface than you're expecting.

Log in to reply