Policy based routing (PBR) "bleeding" traffic (not preempting static routes consistently)



  • Hi,

    We are experiencing an issue with PBR on our pfsense machine where firewall rules that should be enforcing PBR as well do not route all traffic over the desired interface.
    We are using the machine as an OpenVPN concentrator and have multiple interfaces:

    Internet:
    Destination Gateway Flags Netif Expire
    default "WANGateway" UGS em0.320
    172.17.16.0/24 172.19.64.129 UGS em0.20
    172.19.64.128/25 link#7 U em0.20
    172.19.64.140 link#7 UHS lo0
    172.19.72.0/23 link#8 U em0.43
    172.19.72.10 link#8 UHS lo0
    172.19.73.0/25 172.19.73.2 UGS ovpns1
    172.19.73.1 link#11 UHS lo0
    172.19.73.2 link#11 UH ovpns1

    The OpenVPN machine is doing proxyARP for the entire 172.19.73.0/25 segment. On the ovpns1 openVPN server instance, we also have firewall rules allowing 172.19.73.0/25 source to any destination on any port but setting the gateway to PBR traffic over the em0.43 interface instead of the em0.320 or em0.20 interfaces. When doing tcpdump on the em0.20 interface, I get packets sourcing from the ovpns1 interface, shiwch should have all been PBRed to the em0.43 interface. This is not for all traffic, it is only for some types of traffic. ICMP for example is going over the correct interface.

    Did you see this behavior before and how did you fix it? Is this a bug in the pfsense 2.4.4 version? Would upgrading to 2.4.5 fix it?

    21:11:56.063623 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 112
    21:11:56.166749 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 96
    21:11:56.168080 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 112
    21:11:56.481063 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 112
    21:11:56.584326 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 96
    21:11:56.585556 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 112
    21:11:56.906916 IP 172.19.73.69.8369 > 172.17.16.190.56213: UDP, length 112



  • I would examine the rules on your OpenVPN tab and make them explicit otherwise traffic can get matched and sent down a different interface than you're expecting.


Log in to reply