Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reflection vs Gateway Groups

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 922 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      philipvh
      last edited by

      I had an issue in getting Reflection work … spent the whole weekend on this  :( but finally got it working  8) so I wanted to share and maybe the pfsense people can code this in the next version?

      The issue seems to be that reflection will not work when there is a LAN rule with a gateway group as gateway.

      The solution turned out to be pretty simple by adding a rule in the LAN tab before the rule containing the group, like this:

      Proto  |  Source  | Port | Destination    | Port | Gateway | Queue | Schedule ! Description
      –------+----------+------+----------------+------+---------+-------+----------+--------------
          *  |    *    |  *  | LAN Address    | 443  |    *    |  *  |          | Anti-Lockout Rule
        IPv4 |    *    |  *  | 192.168.90.0/24|  *  |    *    |  none |          |  NEW RULE: inside communication with standard gateway to make reflection work
        IPv4 |    *    |  *  |      *        |  *  | GTWYGRP |  none |          |  outside communication via gateway group
      –------+----------+------+----------------+------+---------+-------+----------+--------------

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        I expect that will be similar to when routing between local subnets, or across OPenVPN site-to-site to other parts of the company intranet or…
        If you force all traffic to a gateway (or gateway group) then pfSense does what it is told and sends all traffic out to that gateway. Then that upstream gateway promptly drops the traffic that was meant to be local, because it cannot route to the private addresses.
        Pretty much anybody who has multiple internal networks that need to talk to each other should have a rule that passes that traffic before any rules that use a gateway to the real internet.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • P
          philipvh
          last edited by

          That makes a lot of (pf) sense like you phrase it.

          As a newbee, it was not clear to me that "Default" gateway behaves  this way and "Gateway Group" behaves that way, in the end of the day to me they seemed both gateways, the one called * and the other one called GTWYGRP.

          Anyways I hope others can benefit from this insight!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.