Policy based routing woes.

  • I am running 2.2.1-RELEASE (amd64) on bare metal.
    I have an OpenVPN client configured and am trying to get pfsense to send traffic through it and not leak a thing out any other interface for specific addresses/vlans.
    It doesn't seem to matter whether I use floating (quick/not quick) or interface rules, the behavior is the same.
    When my VPN is connected, traffic routes through it. When my VPN goes down, traffic routes through my WAN.
    I have an explicit block rule that follows my pass rule. My pass rule modifies the gateway to use my openvpn connection as the gateway, thus enabling policy based routing. So routing out my WAN should never be possible as far as my brain causes me to believe.
    I also created an outbound NAT (I chose hybrid mode) rule that NATs my specified traffic using the openvpn interface address.
    When I go to Status > System Logs > Firewall and view the traffic there, I see that the rule I created to send traffic out my openvpn interface is what is actually allowing traffic to pass out my WAN.
    This sounds like a bug to me, but if not, what is it that I am doing wrong?
    At first my rules stated "NEGATE_ROUTE: Negate policy routing for destination" so I went ahead and checked "Disable Negate rules" in System > Advanced > Firewall.

  • LAYER 8 Netgate


    It's not a bug.  It's a feature.

    There is a checkbox in System > Advanced, Miscellaneous tab called Skip rules when gateway is down.  I think this is too brute force.

    The post linked above outlines the following procedure:

    On the rules that match certain traffic and policy route it to the VPN, you also set a mark like VPN_ONLY or NO_WAN_EGRESS.

    You then create a floating rule on WAN direction out that rejects all traffic from any source to any destination with the matching mark.

  • Thank you very much for your speedy and accurate response, Derelict. That has indeed worked and given me my sought after result. I appreciate your assistance very much.

Log in to reply