Incorrect policy-based routing

  • Most of the cases, pf routes to the correct interface if policy-based routing on the in-interface is in effect. But for certain destination IP, it fails. It simply routes to the default gateway instead.

    I have 3 policy-based routing rules:

    @108 pass in log quick on em1 route-to (em4 inet proto tcp from to any port = smtp flags S/SA keep state label "USER_RULE:, ISP4 only"
    @110 pass in log quick on em1 route-to (em5 inet proto tcp from to any port = smtp flags S/SA keep state label "USER_RULE:, ISP5 only"
    @112 pass in log quick on em1 route-to (em3 inet proto tcp from any to any port = smtp flags S/SA keep state label "USER_RULE: other SMTP out, ISP3 only"

    Which state that the Internet link em4 is reserved for the mail server, the Internet link em5 is reserved for the mail server, and the Internet link em3 is for other mail servers/clients. (Note: em1 is the LAN interface.)

    Most of the cases, including and, emails from the mail server are sent via the correct gateway (em4).

    But for certain destination(s), pf simply sends e-mails via the default gateway, which is not em4. Strange is, even in such a case, the firewall log still shows that pf applied the correct rule (@108). Only monitoring at the modem devices around the pfsense device can proves the failure of routing.

    Any comment?

  • It will not do policy-routing for multicast&broadcast and also it won't do policy-routing for destinations ip that are local to the host(ie ips configured on the pfSense itself).
    These are tweaks added by pfSense so strange problems are not seen, otherwise it should just policy route it.

    So unless your route-to ip is not a local ip of pfSense or your ip falls in multicast range it should be ok.

    Packet traces would help here to reproduce the issue.

  • The destination IP in question are of our business partner's mail server which I'm sure not multicast/broadcast IP. We're using Internet service from different ISPs. The route-to IPs .0.65, .0.69 and .0.81 in the rules above are next-hop IPs (in fact, they are of PPPoE modems/routers) around the pfSense machine, not of the machine itself. And, as said, the firewall log shows that the correct rule was selected. It fails to route, however.

  • I've also found that pfsense replies via the wrong gateway even when the specific IP in question (namely, 118/8) is a source IP.

    Thus if the remote client 118.x.y.z initiates a TCP connection to the mail server via (em4, which is not default gateway, pfsense still responds via default gateway, which effectively drops the connection.

  • Are by any case the packets being fragmented when being sent out the wan and not following the policy-route?

  • Please tell me how to detect packet fragmentation.
    I'll check it out and report back.

  • I found today that not only SMTP but also HTTP and maybe all TCP protocols are affected; and, not only the IP 118.x.y.z but also (IP address of the web server of m0n0wall project) and maybe many, many IP addresses are affected.

    This serious problem can be reproduced easily. Create a firewall rule that routes every web-browsing traffic to some non-default interface, then visit to see that it actually goes through the default interface.

Log in to reply