Policy Based Routing Not Using Interface Criteria



  • Hello,

    I was goofing with Policy Based Routing (PBR) and noticed that the "interface" criteria isn't applied.  For example, if I have 3 pfsense interfaces as follows:

    –----------                    -------------
    external net ------ PfSense - LAN A -------- DLP Host -  172.16.2.50
       em1               ------------   em2           -------------
                                  |
                                  |em0
                                  |-- LAN B  (172.16.1.0/24)

    Objective: route some traffic to a transparent DLP solution - I need to keep the entire flow going through the DLP solution.

    Details:

    • I created a PBR rule on interface em0 that said route traffic from source host 172.16.1.20 to DLP host (172.16.2.50)

    • Not that it matters, but I created a "return" PBR rule on inteface em1 that said traffic on interface em1 with a destination of 172.16.1.20 should be routed to the DLP host (172.16.1.50).

    • When I ping a host on the external network from 172.16.1.20 I get a TTL time exceeded message from the DLP host.  I can see that icmp echo request rattle around between interface em2 and the DLP host until the TTL reaches zero.  I would not have expected this because I would have expected that any traffic arriving through interface em2 with a source address of 172.16.1.20 would have taken the default route and not been policy routed.

    Also, not that it matters but I also tried creating these rules as floating rules with the exact same results (I tied the rule to an interface and gave it a direction of "in")

    Anyway, I was wondering if this was a known limitation, by design, or a bug.

    I'm on version 2.0.2-RELEASE (amd64)

    Thanks,

    Jeff



  • bump


Locked