Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    9Pfesense policy routing non finctional

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 1 Posters 326 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      IgiveUp
      last edited by IgiveUp

      Setup:
      latest community offense
      Interfaces:
      WAN with internet access
      LAN 192.168.x.yyy
      VPN 192.71.a.b public IP though openvpn tunnel

      Goal:
      All but one LAN host uses WAN, some port forwards.
      One host from LAN uses VPN as gateway with one port forward.

      Tested so far
      Setting VPN as default gateway works like a charm including potrt forward.
      Needed only:
      outgoing NAT: 192.168.x.yyy/24 -> VPN->VPN IP
      And needed NAT VPN -> 192.168.x.99:9999

      Attempt goal:
      Set WAN back as default gateway
      Add firewall rule on LAN:
      192.168.x.99 all but 192.168.x.yyy/24 go through VPN gateway

      Now I see tracert from .99 host going through VPN curl ifconfig.me/IP returns VPN IP BUT
      and it's hublge BUT
      All outgoing traffic initiated by .99 host gets redirected to VPN and bounces right back going out through WAN and returns on VPN...
      Also I'm getting quite a few default rule 0104 packet blocks for pfsenseIP<->.99 IP(I'm accessing PF sense gui from .99 host).
      Port captures with promiscuous mode off
      Package capture on .99 shows outgoing UDP/TCP package:
      192.168.x.99:9999->somehost:6677
      LAN capture mirrors that
      VPN capture shows nothing!
      WAN capture shows
      VPN IP:9999->somehost:6677

      Depending onremote host returns come either on WAN or VPN with vast majority on WAN and VPN returns are in fact retransmission requests , at least that's what chatgpt told me. VPN returns are 20 to 1000.

      Same for ICMP capture and ping somehost
      VPN
      Somehost -> VAN.ip
      WAN outgoing
      VPN.ip -> somehost

      I 1 Reply Last reply Reply Quote 0
      • I Offline
        IgiveUp @IgiveUp
        last edited by

        Policy routing started behaving after I changed my WAN ipv6 configuration from "none" to "6to4 tunnel".
        I have strange feeling that redirected hist will be able to escape redirection if remote hist is resolving to ipv6 address though.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.