Policy Routing Rule Not Working

dma_pf

I have my LAN set up to route all of its traffic out through a VPN provider, IVPN, by way of an an interface group. The rule to accomplish this is:

I have another rule set which sits immediately above the rule I posted above. The rule has an alias of sites that I want the LAN to access via my laptop by routing out the WAN interface. This rule has worked flawlessly for a long time. The two rules together looks like this:

Today I went to add a new IP address, 52.227.223.80 to the "SitesThroughWan" alias and when I went to test it I found that the top rule was no longer routing traffic out through the WAN. The firewall logs show this when I browse 52.227.223.80:

You can see above that everything is being routed out to the IVPN Group by the second rule. And the states show this:

The IP address for the laptop is correct in the alias used in the top rule for the source. I've tried killing the states and reloading the rules and completely rebooting pfsense. But at this point I can't get any address in the "SitesThroughWan" alias to route out the WAN through the top rule. I don't know how long this has been broken but discovered that it wasn't working today when I went to add a new IP to the "SitesThroughWan" alias. I'm on the 2.5.0-RELEASE.

I'm stumped.

stephenw10

You can see there are no opened states on that top rule so for some reason it's not matching the traffic.
I would the ruleset in /tmp/rules.debug to make sure it's being generated as expected. I would guess one of those aliases is not populating correctly and it's probably SitesThroughWAN. Especially if that's a combination of IPs and FQDNs, say.
Check Diag > Tables.

However you should upgrade to 2.5.2, there are a number of things fixed since 2.5.0 that could be in play here.

Steve

dma_pf

Thanks for your help Steve! I checked the /tmp/rules.debug file. The only notations for the SitesThroughWAN alias are:

table <SitesThroughWAN> persist
SitesThroughWAN = "<SitesThroughWAN>"

pass  in log  quick  on $LAN  $GWWAN_DHCP inet from $Tonys_Laptop to $SitesThroughWAN tracker 1626125416 keep state  label "USER_RULE: Sites Routed through WAN  from Tony's Laptop"

And for the Tonys_Laptop alias are:

table <Tonys_Laptop> {   192.168.163.7  192.168.163.8 } 
Tonys_Laptop = "<Tonys_Laptop>"

pass  in log  quick  on $LAN  $GWWAN_DHCP inet from $Tonys_Laptop to $SitesThroughWAN tracker 1626125416 keep state  label "USER_RULE: Sites Routed through WAN  from Tony's Laptop"

Diagnostic->Tables shows that SitesThroughWAN has no entries and Tonys_Laptop is correctly populated.

The sites that I entered into the SitesThroughWAN alias are a combination of IPs and FQDNs.

I hope that information is helpful. I've definitely got an upgrade to 2.5.2 planned, just need to find the time to get it done.

stephenw10

@dma_pf said in Policy Routing Rule Not Working:

Diagnostic->Tables shows that SitesThroughWAN has no entries

Ok, well that's a problem. It can't match anything if it's not populated.

Check the resolver logs. You may have something unresolvable in there.

To workaround it before you upgrade I would move that to two aliases, one for IPs and one for FQDNs, and use two firewall rules.

Steve