Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Option to disable route-to on rules generated for WAN

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      adam65535
      last edited by

      Can there be an option in the future to disable route-to for WAN rules?  I see there is a 'Disable reply-to' but it would be very convenient to also have a 'Disable route-to' on the WAN also.  All external gateways are on the outside WAN interface on my systems.  If a route changes for our ipsec traffic I want it to immediately send the same packets over a point to point connection for backup. No states need to be killed either as the packets will just travel a different route on the WAN.

      There are  bunch of them in the rules that get generated.  I don't want any of that traffic to stick to a gateway.  If the route changes for the destination IPs involved to go through a different router on the same WAN subnet then it should send it there as packets can go either way.  Again.  There is only 1 WAN interface but with a point to point for backup that the ipsec traffic can take.

      I replaced IPs with names to help make it clear what they are

      
      pass out  route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.166 to !WanSubnet.160/27 tracker 1000008011 keep state allow-opts label "let out anything from firewall host itself"
      pass out  route-to ( igb0 WanGateway.161 ) from PfsenseCarp.164 to !WanSubnet.160/27 tracker 1000008012 keep state allow-opts label "let out anything from firewall host itself"
      pass out  route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.167 to !WanSubnet.160/27 tracker 1000008013 keep state allow-opts label "let out anything from firewall host itself"
      pass out  route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.168 to !WanSubnet.160/27 tracker 1000008014 keep state allow-opts label "let out anything from firewall host itself"
      pass out  route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.169 to !WanSubnet.160/27 tracker 1000008015 keep state allow-opts label "let out anything from firewall host itself"
      pass out  route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.170 to !WanSubnet.160/27 tracker 1000008016 keep state allow-opts label "let out anything from firewall host itself"
      pass out  route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.171 to !WanSubnet.160/27 tracker 1000008017 keep state allow-opts label "let out anything from firewall host itself"
      pass out  route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.172 to !WanSubnet.160/27 tracker 1000008018 keep state allow-opts label "let out anything from firewall host itself"
      pass out  route-to ( igb0 WanGateway.161 ) from PfsenseIPAlias.188 to !WanSubnet.160/27 tracker 1000008019 keep state allow-opts label "let out anything from firewall host itself"
      
      # VPN Rules
      pass out   route-to ( igb0 WanGateway.161 )  proto udp from (self) to IpsecVpn1.36 port = 500 tracker 1000108441 keep state label "IPsec: IpsecVpn1 - outbound isakmp"
      pass in  on $WANIF  reply-to ( igb0 WanGateway.161 )  proto udp from IpsecVpn1.36 to (self) port = 500 tracker 1000108442 keep state label "IPsec: IpsecVpn1 - inbound isakmp"
      pass out   route-to ( igb0 WanGateway.161 )  proto esp from (self) to IpsecVpn1.36 tracker 1000108443 keep state label "IPsec: IpsecVpn1 - outbound esp proto"
      pass in  on $WANIF  reply-to ( igb0 WanGateway.161 )  proto esp from IpsecVpn1.36 to (self) tracker 1000108444 keep state label "IPsec: IpsecVpn1 - inbound esp proto"
      pass out   route-to ( igb0 WanGateway.161 )  proto udp from (self) to IpsecVpn2.146 port = 500 tracker 1000108455 keep state label "IPsec: IpsecVpn2 - outbound isakmp"
      pass in  on $WANIF  reply-to ( igb0 WanGateway.161 )  proto udp from IpsecVpn2.146 to (self) port = 500 tracker 1000108456 keep state label "IPsec: IpsecVpn2 - inbound isakmp"
      pass out   route-to ( igb0 WanGateway.161 )  proto esp from (self) to IpsecVpn2.146 tracker 1000108457 keep state label "IPsec: IpsecVpn2 - outbound esp proto"
      pass in  on $WANIF  reply-to ( igb0 WanGateway.161 )  proto esp from IpsecVpn2.146 to (self) tracker 1000108458 keep state label "IPsec: IpsecVpn2 - inbound esp proto"
      pass out   route-to ( igb0 WanGateway.161 )  proto udp from (self) to IpsecVpn3.2 port = 500 tracker 1000108469 keep state label "IPsec: IpsecVpn3 - outbound isakmp"
      pass in  on $WANIF  reply-to ( igb0 WanGateway.161 )  proto udp from IpsecVpn3.2 to (self) port = 500 tracker 1000108470 keep state label "IPsec: IpsecVpn3 - inbound isakmp"
      pass out   route-to ( igb0 WanGateway.161 )  proto esp from (self) to IpsecVpn3.2 tracker 1000108471 keep state label "IPsec: IpsecVpn3 - outbound esp proto"
      pass in  on $WANIF  reply-to ( igb0 WanGateway.161 )  proto esp from IpsecVpn3.2 to (self) tracker 1000108472 keep state label "IPsec: IpsecVpn3 - inbound esp proto"
      
      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by

        You can add floating rules with 'quick' checked to override those. It's extremely unusual to need to disable route-to in that case, and since you can override it with user-defined rules, there won't likely be an option added to disable that.

        1 Reply Last reply Reply Quote 0
        • A Offline
          adam65535
          last edited by

          The problem is that every time I create a new VPN it creates new hidden rules that must be overridden.  These are hidden rules that are not shown to the user of course.  Can there be a single rule in the floating section that would negate them all?

          I currently create new rules for each one listed in floating but I do not choose quick and that seems to keep the hidden rules from being used.

          I do not want to allow any traffic not explicitly needed.

          1 Reply Last reply Reply Quote 0
          • C Offline
            cmb
            last edited by

            One rule will override that. Pass, interface WAN, direction out, any source, any dest, quick. That'll match before all the auto-added rules.

            1 Reply Last reply Reply Quote 0
            • A Offline
              adam65535
              last edited by

              Thanks!

              I just realized that reply-to is still being set on automatically generated rules for VPN traffic even though I have 'Disable reply-to' enabled in System->Advanced->Firewall & NAT (see my post above showing the rules).  It appears I would need to override that too.

              EDIT:  It looks like my rules on the WAN interface allowing udp 500 and ESP protocol are overriding those auto-generated rules.  I don't see any packet counts on those auto-generated reply-to rules.

              pfctl -vsr | grep -A 2 "reply-to"

              I see all packet counts at 0  "Packets: 0".

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.