Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Policy Routing Rule Not Working

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 558 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dma_pf
      last edited by

      I have my LAN set up to route all of its traffic out through a VPN provider, IVPN, by way of an an interface group. The rule to accomplish this is:

      9c47552f-a2ec-4647-917a-4887ee61dcd7-image.png
      I have another rule set which sits immediately above the rule I posted above. The rule has an alias of sites that I want the LAN to access via my laptop by routing out the WAN interface. This rule has worked flawlessly for a long time. The two rules together looks like this:

      4abddd5b-4c12-4d8e-ae55-a3106cc5911b-image.png

      Today I went to add a new IP address, 52.227.223.80 to the "SitesThroughWan" alias and when I went to test it I found that the top rule was no longer routing traffic out through the WAN. The firewall logs show this when I browse 52.227.223.80:

      91c18063-b0f2-4e1a-95a0-970c0c214f38-image.png

      You can see above that everything is being routed out to the IVPN Group by the second rule. And the states show this:

      79f10348-5d57-4634-af76-1211429ba25e-image.png

      The IP address for the laptop is correct in the alias used in the top rule for the source. I've tried killing the states and reloading the rules and completely rebooting pfsense. But at this point I can't get any address in the "SitesThroughWan" alias to route out the WAN through the top rule. I don't know how long this has been broken but discovered that it wasn't working today when I went to add a new IP to the "SitesThroughWan" alias. I'm on the 2.5.0-RELEASE.

      I'm stumped.

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by stephenw10

        You can see there are no opened states on that top rule so for some reason it's not matching the traffic.
        I would the ruleset in /tmp/rules.debug to make sure it's being generated as expected. I would guess one of those aliases is not populating correctly and it's probably SitesThroughWAN. Especially if that's a combination of IPs and FQDNs, say.
        Check Diag > Tables.

        However you should upgrade to 2.5.2, there are a number of things fixed since 2.5.0 that could be in play here.

        Steve

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          dma_pf @stephenw10
          last edited by

          Thanks for your help Steve! I checked the /tmp/rules.debug file. The only notations for the SitesThroughWAN alias are:

          table <SitesThroughWAN> persist
          SitesThroughWAN = "<SitesThroughWAN>"
          
          pass  in log  quick  on $LAN  $GWWAN_DHCP inet from $Tonys_Laptop to $SitesThroughWAN tracker 1626125416 keep state  label "USER_RULE: Sites Routed through WAN  from Tony's Laptop"
          

          And for the Tonys_Laptop alias are:

          table <Tonys_Laptop> {   192.168.163.7  192.168.163.8 } 
          Tonys_Laptop = "<Tonys_Laptop>"
          
          pass  in log  quick  on $LAN  $GWWAN_DHCP inet from $Tonys_Laptop to $SitesThroughWAN tracker 1626125416 keep state  label "USER_RULE: Sites Routed through WAN  from Tony's Laptop"
          

          Diagnostic->Tables shows that SitesThroughWAN has no entries and Tonys_Laptop is correctly populated.

          The sites that I entered into the SitesThroughWAN alias are a combination of IPs and FQDNs.

          I hope that information is helpful. I've definitely got an upgrade to 2.5.2 planned, just need to find the time to get it done.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            @dma_pf said in Policy Routing Rule Not Working:

            Diagnostic->Tables shows that SitesThroughWAN has no entries

            Ok, well that's a problem. It can't match anything if it's not populated.

            Check the resolver logs. You may have something unresolvable in there.

            To workaround it before you upgrade I would move that to two aliases, one for IPs and one for FQDNs, and use two firewall rules.

            Steve

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.