How does policy routing work in pfSense? (behind the GUI)

senseivita

Policy-based routing couldn't be easier in pfSense. You add gateways and select them on firewall rules. Just as easily by just grouping those same gateways you can apply load balancing, or tiering, or both.

Learning, I branched out of pfSense into Linux, it was only a matter of time I had to face PBR on it, and it wasn't pretty. There's tables, which can have many rules per table, and default gateways, and somehow the main table has to be involved as well. Like metrics, tables and rules have priorities, but extra confusing because not always lower is higher, higher is higher too (the order number), it's an arbitrary number but not infinite and some of them are reserved. You don't really put traffic in a gateway but more like "encourage" it towards one. Then there's mangling and traffic marking, in hex.

For what it's worth though, I'm aware that in pfSense firewall rules don't really "select" either but rather they match the traffic — its attributes — and then it's let go (or explicitly ignored/declined), but it really does feel like it's so precise as if you'd have control of what's coming towards the interface. It's not like that in Linux. Not even in routing platforms with the easier purpose-built interfaces e.g. VyOS or Mikrotik's CHR/RouterOS, they all have the crazy complexity as standard.

So, I'm curious how does it all work under the abstraction of the GUI. Maybe then I understand better how does it work in Linux or even illumos whoknows, if I have something to compare them to that I already understand, if abstractedly so. It's not just for Linux though, in OPNsense; states by default are unbound from interfaces (floating). I'm only half sure what are the consequences from that. Also in OPNsense you can NAT in multi-interface rules and reply-to works, but strangely it doesn't if it's just a firewall (not a NAT) rule alone. Also, all [filter] rules may have the quick marker which it's exclusive to floating rules in pfSense. I'm curious about those differences as well.

Are there any commands or FreeBSD native config files I can check out to observe pfSense's XML applied raw?

I'd like to try to replicate pfSense's config in a FreeBSD machine I installed, the handbook is good great, but I'm only barely in the network setup part, between Jails, bhyve, prisons it's gonna be a while before I get to policy routing.

I know my question is a little too broad, but just as well, I just need to be pointed in the right direction to go do my homework.

Maybe you have some keywords I can Bing? (just kidding) A link to a secret PDF network admins pray to? The truth behind BGP . One-, or one thousand-line response it's all appreciated.

Thanks!

SteveITS

@senseivita check out:

https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html

https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-state-policy