PfSense Internal / Localhost Traffic Multi-WAN Policy Routing



  • What is the correct way to make pfSense failover say all internal / localhost traffic to port 80 to a gateway group or specific gateway? All the information I've come across so far is unclear or outdated.

    Can I simply create a floating rule without selecting any interfaces, with direction out, from 127.0.0.0/8, to port 80, and set a custom gateway?

    Or do I also have to tag the traffic in the above rule and create another rule on all the WAN interfaces for this tag with direction out and set the gateway there instead?



  • I can confirm that on 2.2.5 all combinations of using Floating Rules + Gateway Groups to route outbound traffic originating from the Firewall itself via Policy-based Routes has failed for me.  I can't get it working.  I tried many different combinations of selecting ALL interfaces, NO interfaces, just LAN if, just WAN ifs, etc etc.  Setting source to "This Firewall (self)" or 127.0.0.0/8, or "any".  "Quick" match both on & off.  Pretty much turned every knob there was.  It just doesn't work for me.

    Found more related discussions:
    How to make DNS lookups go to only to Tier1 link in multi-WAN failover?
    firewall - pfSense Internal Traffic Policy Based Routing - Server Fault
    Policy Based Routing of pfSense Internal Traffic - reddit
    …but no answer yet

    If someone has a working example for this please post screenshots



  • Hi!

    +1

    I'm also looking for that functionality.
    That would allow to use PBR for services hosted on the pfsense box itself (i.e. squid)



  • At this point is this classified as a bug? Is it on redmine somewhere? I have several sites that have gateways set up that are NOT internet-facing and thus I can't safely enable the "allow default gateway switching" option.

    For these sites, it seems when the default gateway goes down, there is NO safe & working way to ensure pfSense is able to send out an email notification.



  • According to https://doc.pfsense.org/index.php/What_are_Floating_Rules, we should be able to " Filter traffic from the firewall itself ".
    I don't know if it's a simple bug or a technical choice for whatever reason….

    Maybe a pfSense guru could answer us here before we fill a bug on redmine ?
    Thanks.



  • Doesn't seem to be attracting any attention so I went ahead and filed a bug on redmine:
    https://redmine.pfsense.org/issues/5476



  • Having the same problem.

    One of the gateways currently in use is a VPN gateway that is blocking NTP. So it would be nice to select a gateway pfSense itself and/or it's services is using.



  • Could you post a "netstat -r" ?



  • You will find the routes in this thread i started:

    https://forum.pfsense.org/index.php?topic=106379.0

    I can confirm this is a bug, however cannot test 2.3 Beta on production….



  • If I understand correctly, having this bug fixed would allow Load Balancing + Transparent Proxy to work again. This pfSense functionality is IMO quite important in many "real world" scenarios, like for example when setting up Guest WIFIs.

    luckman212: did you find the time yet to try to replicate the bug on stock FreeBSD, like Jim Pingle described in his ticket post? Unfortunately, I have zero FreeBSD knowledge, but I'd be willing to invest some time to setup a test system if someone would be prepared to help a little.

    cuteredstorm: I don't fully understand your message in the other thread. Did you manage to get the functionality working by using some kind of workaround? If so, could you please describe the workaround in more detail?


Log in to reply