Actions
Bug #15379
closedDiagnostic/Traceroute follows default gateway instead of IPsec interface for routing traffic
Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Routing
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:
Description
If you define a specific Source Address in the Diagnostic/Traceroute page and that interface IP is within the IPsec traffic selector scope, the firewall should route it through IPsec instead of the default gateway.
Files
Updated by Jim Pingle 4 months ago
- Status changed from New to Not a Bug
You can't force something into policy-based IPsec in that way. Either it matches the traffic selectors and it will go through the tunnel or it doesn't.
Updated by Lev Prokofev 4 months ago
- File clipboard-202404041909-jjixe.png clipboard-202404041909-jjixe.png added
- File clipboard-202404041910-kphh3.png clipboard-202404041910-kphh3.png added
- File clipboard-202404041911-lvmgd.png clipboard-202404041911-lvmgd.png added
- File clipboard-202404041913-ngjlx.png clipboard-202404041913-ngjlx.png added
- File clipboard-202404041914-5ncbn.png clipboard-202404041914-5ncbn.png added
I can confirm it, it seems the traceroute doesn't follow the IPsec policy
tested on
23.09.1-RELEASE (amd64) built on Wed Dec 20 21:27:00 MSK 2023 FreeBSD 14.0-CURRENT
The remote host is 192.168.200.20, policy contain 192.168.200.0/24
Tracert from internal host 172.21.100.10, traffic go to IPsec
Tracert from the interface of pfSense (172.21.100.1) - traffic goes to WAN
Ping from interface - traffic follow the policy and goes to IPsec
Actions