Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How does policy routing work in pfSense? (behind the GUI)

    Scheduled Pinned Locked Moved
    Routing and Multi WAN
    2
    2
    194
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • senseivitaS
      senseivita
      last edited by

      Policy-based routing couldn't be easier in pfSense. You add gateways and select them on firewall rules. Just as easily by just grouping those same gateways you can apply load balancing, or tiering, or both.

      Learning, I branched out of pfSense into Linux, it was only a matter of time I had to face PBR on it, and it wasn't pretty. There's tables, which can have many rules per table, and default gateways, and somehow the main table has to be involved as well. Like metrics, tables and rules have priorities, but extra confusing because not always lower is higher, higher is higher too (the order number), it's an arbitrary number but not infinite and some of them are reserved. You don't really put traffic in a gateway but more like "encourage" it towards one. Then there's mangling and traffic marking, in hex.

      For what it's worth though, I'm aware that in pfSense firewall rules don't really "select" either but rather they match the traffic — its attributes — and then it's let go (or explicitly ignored/declined), but it really does feel like it's so precise as if you'd have control of what's coming towards the interface. It's not like that in Linux. Not even in routing platforms with the easier purpose-built interfaces e.g. VyOS or Mikrotik's CHR/RouterOS, they all have the crazy complexity as standard.

      So, I'm curious how does it all work under the abstraction of the GUI. Maybe then I understand better how does it work in Linux or even illumos whoknows, if I have something to compare them to that I already understand, if abstractedly so. It's not just for Linux though, in OPNsense; states by default are unbound from interfaces (floating). I'm only half sure what are the consequences from that. Also in OPNsense you can NAT in multi-interface rules and reply-to works, but strangely it doesn't if it's just a firewall (not a NAT) rule alone. Also, all [filter] rules may have the quick marker which it's exclusive to floating rules in pfSense. I'm curious about those differences as well.

      Are there any commands or FreeBSD native config files I can check out to observe pfSense's XML applied raw?

      I'd like to try to replicate pfSense's config in a FreeBSD machine I installed, the handbook is good great, but I'm only barely in the network setup part, between Jails, bhyve, prisons it's gonna be a while before I get to policy routing.

      I know my question is a little too broad, but just as well, I just need to be pointed in the right direction to go do my homework.

      Maybe you have some keywords I can Bing? (just kidding) A link to a secret PDF network admins pray to? The truth behind BGP 😂 . One-, or one thousand-line response it's all appreciated.

      Thanks!

      Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @senseivita
        last edited by

        @senseivita check out:

        https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html

        https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-state-policy

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post