pfSense » pfSense Docs

I wanted to suggest a change on the docs to make something a little more clear than it currently is.

On the page about VTI tunnel configuration: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html

There is a section about Policy Routes which states:
"To policy route traffic across a routed IPsec tunnel, use the assigned IPsec interface gateway in firewall rules as usual for policy routing."

There is then a disclaimer below this that says:
This may not work as expected without NAT and/or reply-to, which require special settings. See Routed IPsec Firewall Rules for details.

This should be adjusted to state that it will not work as expected. After extensive testing in my lab, I was never able to get a policy route to work via a gateway selection with the default IPsec filter mode. I hade to change it to the assigned interfaces mode in order for my firewall rule w/ a gateway selection to function at all.

The states for the rule showed it was being hit as well, but traffic would not route over the tunnel.

It's important this is more clear, since you can't have this Filter Mode enabled if you also need regular IPsec Tunnel's to exist, and the documentation currently makes it sound like you can use both.