Project

General

Profile

Actions

Bug #3653

closed

Policy route on rule does not work

Added by Jos Andel over 10 years ago. Updated over 10 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Routing
Target version:
-
Start date:
05/12/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1.x
Affected Architecture:
amd64

Description

I have a rule on the IPSec interface with a policy route enabled to my internal core-router. Traffic coming out of the VPN-tunnel should be routed to the core, but instead pfSense routes it to the default gateway. This worked just fine on 2.0.1. I took that config and imported that on a new server running 2.1.3.

---- rule in config.xml (removed create and modified to obscure admin ip address) -----
<rule>
<id/>
<type>pass</type>
<interface>enc0</interface>
<ipprotocol>inet</ipprotocol>
<tag/>
<tagged/>
<max/>
<max-src-nodes/>
<max-src-conn/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os></os>
<source>
<any/>
</source>
<destination>
<any/>
</destination>
<log/>
<descr><![CDATA[IPSec traffic]]></descr>
<gateway>LANGW</gateway>
<created>
</created>
<updated>
</updated>
</rule>

----- rules.debug -----
IPsec = "{ enc0 }"
table <negate_networks> { 192.168.128.0/28 }
GWLANGW = " route-to ( bge0 192.168.111.1 ) "
pass out on $IPsec all keep state label "IPsec internal host to host"
pass in log quick on $IPsec inet from any to <negate_networks> keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in log quick on $IPsec $GWLANGW inet from any to any keep state label "USER_RULE: IPSec traffic"

Looks fine to me.
----------------------------

----- resulting rules ------
pfctl -sr | grep enc0
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass in log quick on enc0 inet from any to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in log quick on enc0 route-to (bge0 192.168.111.1) inet all flags S/SA keep state label "USER_RULE: IPSec traffic"

Looks fine to me, traffic from 192.168.128.0/28 should be routed-to 192.168.111.1
----------------------------

----- It hits on the right rule since it ends up in my logging -----
May 12 13:54:36 pfSense pf: 192.168.128.2.49206 > 62.69.166.254.80: Flags [S], cksum 0x38fd (correct), seq 2249141429, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 745617494 ecr 0,sackOK,eol], length 0
----------------

---- tcpdump of this traffic -----

It sure comes through the enc0 interface:
tcpdump -pnli enc0 host 62.69.166.254
14:13:13.566192 (authentic,confidential): SPI 0x0bc05ecc: IP 192.168.128.2.49482 > 62.69.166.254.80: Flags [S], seq 3881645313, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 746733379 ecr 0,sackOK,eol], length 0
14:13:14.641607 (authentic,confidential): SPI 0x0bc05ecc: IP 192.168.128.2.49482 > 62.69.166.254.80: Flags [S], seq 3881645313, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 746734453 ecr 0,sackOK,eol], length 0

and it leaves the bge1 interface
tcpdump pnli bge1 host 62.69.166.254
13:59:55.302026 IP 192.168.128.2.49345 > 62.69.166.254.80: Flags [S], seq 264329335, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 745936293 ecr 0,sackOK,eol], length 0
13:59:56.343828 IP 192.168.128.2.49345 > 62.69.166.254.80: Flags [S], seq 264329335, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 745937331 ecr 0,sackOK,eol], length 0
-------------------------------------

---- but my core 192.168.111.1 is behind interface bge0 -----
(changed default gateway IP to obscure real IP)
netstat -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 1.2.3.97 UGS 0 97317 bge1
127.0.0.1 link#7 UH 0 1076 lo0
192.168.0.0/16 192.168.111.1 UGS 0 219152 bge0
192.168.111.0/24 link#3 U 0 355413 bge0

arp an | grep 192.168.111.1
? (192.168.111.1) at d0:67:e5:dc:e6:9e on bge0 expires in 1171 seconds [ethernet]
----------------

A workaround is changing the default gateway to 192.168.111.1. When I do that it works as it should with a policy-route enabled.
So traffic follows the default-route, ignoring the policy-route on the rule.

Actions

Also available in: Atom PDF