Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Gateway groups and rules from "This firewall"

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 258 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      silviub
      last edited by silviub

      Hello,

      I have two PFSenses with two IPs + CARP IP from the same subnet. I've got an IPSec tunnel setup with VTI and here's my issue: One of the firewall is the owner of the CARP IP address. I can't access the other one.
      This is because the VTI interface and gateway is not available on the backup firewall, so it uses the default route (which is the WAN interface). Obviously, not what I want/need.

      So I thought: I'll just create a gateway group using the VTI interface + LAN so when the VTI is unavailable (e.g. backup router), the traffic will flow via the LAN gateway. I've created the LAN gateway with the GW IP = CARP IP address and created the gateway group with the two gateways, the VTI being Tier 1, LAN being Tier 2, so it fails over when Tier 1 is unavailable..

      I've then set a floating rule that states:

      Action: Pass
Quick: enabled
Interface: Any
Direction: Out (since I want the traffic leaving the backup router to match)
Address family: IPv4
Protocol: Any

Source: Alias (set to an alias containing the three IPs - R1, R2 and the CARP IP)
Destination: IPSec tunnel destination
Log packets: ticked

Advanced options:
Gateway: IPSec_Gateway_Group (created above)

      Still, the traffic comes in via the VTI interface in R1 (active one) goes to R2 via the LAN interface and the return traffic goes from R2 -> WAN -> Dropped by next router.

      What am I missing? I thought that this would make the traffic from the Aliases to go via the Gateway Group.

      Thank you!

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        Yeah that scenario is always a problem. To make that work you need to NAT the traffic leaving the active node so the backup node knows to send traffic back via it.

        You will want to make the outbound NAT as specific as possible so it only matches that traffic.

        Because the rule is sync'd by default it must either be valid on both nodes or set specifically not to sync.

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          silviub @stephenw10
          last edited by

          @stephenw10 but why wouldn't it work with a policy based forwarding rule? I mean, what am I missing?
          Anyways, I'll NAT it, it's not an issue, but I'm just curious why it doesn't work with a rule.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            You can't policy route traffic using an outbound rule. At that point the routing decision has already been made.

            S 1 Reply Last reply Reply Quote 0
            • S Offline
              silviub @stephenw10
              last edited by

              @stephenw10 Ok so that means that I can just PBS traffic from my LAN to the internet / some gateway, but not the traffic from the firewall itself? Did I get that right?

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                Yes, exactly. You can only policy route traffic going into the firewall so that excludes traffic from the firewall itself.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.