Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Policy based routing (PBR) "bleeding" traffic (not preempting static routes consistently)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 2 Posters 258 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      razvanme007
      last edited by

      Hi,

      We are experiencing an issue with PBR on our pfsense machine where firewall rules that should be enforcing PBR as well do not route all traffic over the desired interface.
      We are using the machine as an OpenVPN concentrator and have multiple interfaces:

      Internet:
      Destination Gateway Flags Netif Expire
      default "WANGateway" UGS em0.320
      172.17.16.0/24 172.19.64.129 UGS em0.20
      172.19.64.128/25 link#7 U em0.20
      172.19.64.140 link#7 UHS lo0
      172.19.72.0/23 link#8 U em0.43
      172.19.72.10 link#8 UHS lo0
      172.19.73.0/25 172.19.73.2 UGS ovpns1
      172.19.73.1 link#11 UHS lo0
      172.19.73.2 link#11 UH ovpns1

      The OpenVPN machine is doing proxyARP for the entire 172.19.73.0/25 segment. On the ovpns1 openVPN server instance, we also have firewall rules allowing 172.19.73.0/25 source to any destination on any port but setting the gateway to PBR traffic over the em0.43 interface instead of the em0.320 or em0.20 interfaces. When doing tcpdump on the em0.20 interface, I get packets sourcing from the ovpns1 interface, shiwch should have all been PBRed to the em0.43 interface. This is not for all traffic, it is only for some types of traffic. ICMP for example is going over the correct interface.

      Did you see this behavior before and how did you fix it? Is this a bug in the pfsense 2.4.4 version? Would upgrading to 2.4.5 fix it?

      21:11:56.063623 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 112
      21:11:56.166749 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 96
      21:11:56.168080 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 112
      21:11:56.481063 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 112
      21:11:56.584326 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 96
      21:11:56.585556 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 112
      21:11:56.906916 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 112

      1 Reply Last reply Reply Quote 0
      • M Offline
        marvosa
        last edited by marvosa

        I would examine the rules on your OpenVPN tab and make them explicit otherwise traffic can get matched and sent down a different interface than you're expecting.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.