Policy filtering reply-to question
-
I redid the cleanest set of internal rules as quick floating rules; because there's no NAT, there's no reply-to caveat from floating/group rules. I kind of forgot one though... It's should go about the third from the top in the ruleset but it's a pass rules scoping a single host: e.g; (single)host can pass traffic from here to there via that over there, then the mass/floating ruleset continues still as quick rules, then interface rules, then back non-quick floating rules to finish the ruleset.
The only way I can think of singling out this host is by tagging its traffic then let it out with the floating rule. I haven't done this before, it's been on my to do list forever. The bible only has a paragraph on this but several where it goes you shall never route floating some plus NAT something something a goat, I'm paraphrasing.
The forgot to clarify in this specific case. Can the tagging help if the exit interface there's NAT involved? I saw a Mikrotik presentation many years ago where they used pfSense with tagging so I'm hopeful. :)
10.4.2 Use with WAN Interfaces
We do not recommend using interface groups with multiple WANs. Doing so may appear to be convenient, but the
group rules do not receive the same treatment as actual WAN tab rules. For example, rules on a tab for a WAN-type interface (Gateway selected on the interface configuration) will receive reply-to which allows pf to return traffic
back via the interface from which it entered. Group tab rules do not receive reply-to which effectively means that
the group rules only function as expected on the WAN with the default gateway.
