Project

General

Profile

Actions

Bug #15379

closed

Diagnostic/Traceroute follows default gateway instead of IPsec interface for routing traffic

Added by Danilo Zrenjanin about 2 months ago. Updated about 2 months ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Routing
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

If you define a specific Source Address in the Diagnostic/Traceroute page and that interface IP is within the IPsec traffic selector scope, the firewall should route it through IPsec instead of the default gateway.


Files

clipboard-202404041909-jjixe.png (110 KB) clipboard-202404041909-jjixe.png Lev Prokofev, 04/04/2024 03:08 PM
clipboard-202404041910-kphh3.png (51.2 KB) clipboard-202404041910-kphh3.png Lev Prokofev, 04/04/2024 03:10 PM
clipboard-202404041911-lvmgd.png (74.3 KB) clipboard-202404041911-lvmgd.png Lev Prokofev, 04/04/2024 03:10 PM
clipboard-202404041913-ngjlx.png (60.7 KB) clipboard-202404041913-ngjlx.png Lev Prokofev, 04/04/2024 03:12 PM
clipboard-202404041914-5ncbn.png (45 KB) clipboard-202404041914-5ncbn.png Lev Prokofev, 04/04/2024 03:13 PM
Actions #1

Updated by Jim Pingle about 2 months ago

  • Status changed from New to Not a Bug

You can't force something into policy-based IPsec in that way. Either it matches the traffic selectors and it will go through the tunnel or it doesn't.

Actions #2

Updated by Lev Prokofev about 2 months ago

I can confirm it, it seems the traceroute doesn't follow the IPsec policy

tested on


23.09.1-RELEASE (amd64)
built on Wed Dec 20 21:27:00 MSK 2023
FreeBSD 14.0-CURRENT

The remote host is 192.168.200.20, policy contain 192.168.200.0/24

Tracert from internal host 172.21.100.10, traffic go to IPsec

Tracert from the interface of pfSense (172.21.100.1) - traffic goes to WAN


Ping from interface - traffic follow the policy and goes to IPsec

Actions

Also available in: Atom PDF