Reflection vs Gateway Groups
-
I had an issue in getting Reflection work … spent the whole weekend on this :( but finally got it working 8) so I wanted to share and maybe the pfsense people can code this in the next version?
The issue seems to be that reflection will not work when there is a LAN rule with a gateway group as gateway.
The solution turned out to be pretty simple by adding a rule in the LAN tab before the rule containing the group, like this:
Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule ! Description
–------+----------+------+----------------+------+---------+-------+----------+--------------
* | * | * | LAN Address | 443 | * | * | | Anti-Lockout Rule
IPv4 | * | * | 192.168.90.0/24| * | * | none | | NEW RULE: inside communication with standard gateway to make reflection work
IPv4 | * | * | * | * | GTWYGRP | none | | outside communication via gateway group
–------+----------+------+----------------+------+---------+-------+----------+--------------
-
I expect that will be similar to when routing between local subnets, or across OPenVPN site-to-site to other parts of the company intranet or…
If you force all traffic to a gateway (or gateway group) then pfSense does what it is told and sends all traffic out to that gateway. Then that upstream gateway promptly drops the traffic that was meant to be local, because it cannot route to the private addresses.
Pretty much anybody who has multiple internal networks that need to talk to each other should have a rule that passes that traffic before any rules that use a gateway to the real internet.
-
That makes a lot of (pf) sense like you phrase it.
As a newbee, it was not clear to me that "Default" gateway behaves this way and "Gateway Group" behaves that way, in the end of the day to me they seemed both gateways, the one called * and the other one called GTWYGRP.
Anyways I hope others can benefit from this insight!