Actions
Bug #15379
closedDiagnostic/Traceroute follows default gateway instead of IPsec interface for routing traffic
Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Routing
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:
Description
If you define a specific Source Address in the Diagnostic/Traceroute page and that interface IP is within the IPsec traffic selector scope, the firewall should route it through IPsec instead of the default gateway.
Files
Updated by Jim Pingle 10 months ago
- Status changed from New to Not a Bug
You can't force something into policy-based IPsec in that way. Either it matches the traffic selectors and it will go through the tunnel or it doesn't.
Updated by Lev Prokofev 10 months ago
- File clipboard-202404041909-jjixe.png clipboard-202404041909-jjixe.png added
- File clipboard-202404041910-kphh3.png clipboard-202404041910-kphh3.png added
- File clipboard-202404041911-lvmgd.png clipboard-202404041911-lvmgd.png added
- File clipboard-202404041913-ngjlx.png clipboard-202404041913-ngjlx.png added
- File clipboard-202404041914-5ncbn.png clipboard-202404041914-5ncbn.png added
I can confirm it, it seems the traceroute doesn't follow the IPsec policy
tested on
23.09.1-RELEASE (amd64) built on Wed Dec 20 21:27:00 MSK 2023 FreeBSD 14.0-CURRENT
The remote host is 192.168.200.20, policy contain 192.168.200.0/24
Tracert from internal host 172.21.100.10, traffic go to IPsec
Tracert from the interface of pfSense (172.21.100.1) - traffic goes to WAN
Ping from interface - traffic follow the policy and goes to IPsec
Actions