Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Policy based routing woes.

    Firewalling
    2
    3
    1186
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DWAyotte last edited by

      I am running 2.2.1-RELEASE (amd64) on bare metal.
      I have an OpenVPN client configured and am trying to get pfsense to send traffic through it and not leak a thing out any other interface for specific addresses/vlans.
      It doesn't seem to matter whether I use floating (quick/not quick) or interface rules, the behavior is the same.
      When my VPN is connected, traffic routes through it. When my VPN goes down, traffic routes through my WAN.
      I have an explicit block rule that follows my pass rule. My pass rule modifies the gateway to use my openvpn connection as the gateway, thus enabling policy based routing. So routing out my WAN should never be possible as far as my brain causes me to believe.
      I also created an outbound NAT (I chose hybrid mode) rule that NATs my specified traffic using the openvpn interface address.
      When I go to Status > System Logs > Firewall and view the traffic there, I see that the rule I created to send traffic out my openvpn interface is what is actually allowing traffic to pass out my WAN.
      This sounds like a bug to me, but if not, what is it that I am doing wrong?
      At first my rules stated "NEGATE_ROUTE: Negate policy routing for destination" so I went ahead and checked "Disable Negate rules" in System > Advanced > Firewall.

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        https://forum.pfsense.org/index.php?topic=76015.msg494089#msg494089

        It's not a bug.  It's a feature.

        There is a checkbox in System > Advanced, Miscellaneous tab called Skip rules when gateway is down.  I think this is too brute force.

        The post linked above outlines the following procedure:

        On the rules that match certain traffic and policy route it to the VPN, you also set a mark like VPN_ONLY or NO_WAN_EGRESS.

        You then create a floating rule on WAN direction out that rejects all traffic from any source to any destination with the matching mark.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          DWAyotte last edited by

          Thank you very much for your speedy and accurate response, Derelict. That has indeed worked and given me my sought after result. I appreciate your assistance very much.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post