Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Policy routing : specified gateway is ignored for traffic to others locales pfSense interfaces IPs ?

    Routing and Multi WAN
    1
    2
    342
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stilgar
      last edited by

      Hi,

      I would like to ask for a issue we are facing, as it's sound weird but maybe not totally illogic, and i want to know why pf is doing this and how to work around it.

      Let me explain:

      On a brand new pfSense, we have one WAN interfaces, and two LAN interfaces.

      LAN1 IP is 192.168.1.1/24
      LAN2 IP is 192.168.2.1/24
      WAN IP is 212.X.X.1/24

      I have defined a Gateway on WAN interface as WAN_GW (212.X.X.254) and defined as default Gateway.

      • by default, no rules are set on interfaces, so i can't reach anything from anywhere:

      if i ping 192.168.1.1 (LAN1 IP interface) from a PC in LAN1 Subnet: it's dropped.
      if i ping 192.168.2.1 (LAN2 IP interface) from a PC in LAN1 Subnet: it's dropped.
      if i ping 192.168.2.10 (an host on LAN2 subnet) from a PC in LAN1 Subnet: it's dropped.

      Now, if i set a rule that say Allow from any to any on LAN1, without any specific gateway, i can reach anything from LAN1:

      if i ping 192.168.1.1 (LAN1 IP interface) from a PC in LAN1 Subnet: it pass.
      if i ping 192.168.2.1 (LAN2 IP interface) from a PC in LAN1 Subnet: it pass.
      if i ping 192.168.2.10 (an host on LAN2 subnet) from a PC in LAN1 Subnet: it pass.

      All that are expected behavior and there is nothing to worry about.

      But here come the "strangers" things:

      I want all my traffic to be forced to go trought the Gateway trught by definition, bypass the local routing table.
      so i set a rules that say "Allow from any to any" on LAN1 and i set a specific gateway (WAN_GW) in this rule, and there is what i obtain:

      if i ping 192.168.1.1 (LAN1 IP interface) from a PC in LAN1 Subnet: it pass locally and ping is OK (not expected).
      if i ping 192.168.2.1 (LAN2 IP interface) from a PC in LAN1 Subnet: it pass locally and ping is OK (not expected).
      if i ping 192.168.2.10 (an host on LAN2 subnet) from a PC in LAN1 Subnet: it successfully pass trought the WAN_GW and thus not reachable (AS EXPECTED).

      So here is my questions:

      1. why pf is totally ignoring the specified gateway specified in the rule causing ping to respond when trying to reach all IP set on local interfaces in pfSense from LAN1 (what is NOT what we want)?
      2. how to force pf to use the specified gateway for ALL the matched traffic, INCLUDING ip addressess that are locally set on pf interfaces ?

      Obviously, i could make rules before that one to block traffic to thoses IPs, but that not explain the behavior.

      Thanks in advance for all the answers and explanations.

      TL;DR pf is ignoring specific gateway in rules for all ip addresses that are attached to him: why ?

      1 Reply Last reply Reply Quote 0
      • S
        Stilgar
        last edited by

        Nobody has an explanation or a clue ?
        Do i need to fill a bug request ?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.