NATed response exits wrong WAN interface
-
I have two WANs. Both have the same ports forwarded to servers.
When I try to connect to the server via WAN2's public IP, I get no response to my client.
A packet capture shows pfSense's WAN2 IP trying to send my packets back to me across the WAN1 interface. (the default route)How can I ensure the right interface is associated to the state of the connection and my return packets are NOT hijacked by the default route or routing table?
-
@AkkerKid-0
You have to define firewall rules for the incoming traffic on the interface rules tab only.
There must no floating or interface group pass rule match the incoming traffic! -
I make extensive use of pfblockerNG and keep it in the floating tab. I've now tried disabling it since it did produce some PASS rules that would include IP ranges that I'm testing from.
So far, it looks like it's making a difference. I didn't think firewall rules, floating or not, would impact the traffic of an already established state but, here we are.
Thanks! If this works out, I'll owe you a beer. -
@AkkerKid-0
It's because of the reply-to tagging. This is used in pfSense to route response packets back to the proper gateway.pfSense tags connections with it, which enters on an interface with a gateway assigned. This is done by the filter rule.
However, rules on interface groups or floating rules can be applied on multiple interfaces. So the response gateway is not unique and hence pfSense doesn't add the reply-to tag. -
@viragomann
Does that mean floating rules that allow a connection will override/bypass/skip interface rules that deny that same kind of connection? -
@AkkerKid-0 Sure, don't do that.
-
@AkkerKid-0
pfSense applies only one single filter rule on incoming packets. But there is a strict order and the first which matches gets applied.
See Rule Processing Order for details.
