"
Hi,
I've seen an old and archived post writteng by @Seed nickname, from a previous opnsense version, where there was apparently a similar issue (https://forum.opnsense.org/index.php?topic=28555.msg138715;topicseen#msg138715 — unfortunately nobody replied :( — ), and that encouraged me to share my own case.
I have a WireGuard VPN configured in OPNsense. I assigned a gateway to the WG0 interface and, using Policy Based Routing (firewall rules + outbound NAT), I route one VLAN (vlan20, for example) through the VPN. Functionally, the traffic goes out through WireGuard as expected.
The problem appears when exporting NetFlow v9 data (using ng_netflow) to an analysis system (Akvorado, is great!). I do not see any flows from vlan20 exiting via WG0. Instead, those flows are reported as exiting via WAN.
However, the return flow for those same sessions is correctly shown as arriving via WG0.
There is NAT involved (both on WAN and inside the WireGuard tunnel), so asymmetric routing does not seem plausible (additionally, it would involve IP spoofing, which is even more unlikely on traffic going through my ISP).
My current hypothesis is that ng_netflow determines the egress interface before Policy Based Routing is applied. Since the default route points to WAN, NetFlow marks the flow as WAN traffic. After that, PBR sends the packets out through WG0, but NetFlow has already recorded the flow with the wrong interface.
Is this expected due to the internal processing order (routing decision vs. PBR), or could it indicate a misconfiguration?
And finally, is there any known way to make NetFlow reflect the actual post-PBR egress interface when using WireGuard?
Did you ever confirm whether this is the cause? Or find a way to make NetFlow correctly reflect the actual egress interface when using Policy Based Routing?
I have opnsense Version 25.7.11_9 amd64 2e9ac2def
I've seen an old and archived post writteng by @Seed nickname, from a previous opnsense version, where there was apparently a similar issue (https://forum.opnsense.org/index.php?topic=28555.msg138715;topicseen#msg138715 — unfortunately nobody replied :( — ), and that encouraged me to share my own case.
I have a WireGuard VPN configured in OPNsense. I assigned a gateway to the WG0 interface and, using Policy Based Routing (firewall rules + outbound NAT), I route one VLAN (vlan20, for example) through the VPN. Functionally, the traffic goes out through WireGuard as expected.
The problem appears when exporting NetFlow v9 data (using ng_netflow) to an analysis system (Akvorado, is great!). I do not see any flows from vlan20 exiting via WG0. Instead, those flows are reported as exiting via WAN.
However, the return flow for those same sessions is correctly shown as arriving via WG0.
There is NAT involved (both on WAN and inside the WireGuard tunnel), so asymmetric routing does not seem plausible (additionally, it would involve IP spoofing, which is even more unlikely on traffic going through my ISP).
My current hypothesis is that ng_netflow determines the egress interface before Policy Based Routing is applied. Since the default route points to WAN, NetFlow marks the flow as WAN traffic. After that, PBR sends the packets out through WG0, but NetFlow has already recorded the flow with the wrong interface.
Is this expected due to the internal processing order (routing decision vs. PBR), or could it indicate a misconfiguration?
And finally, is there any known way to make NetFlow reflect the actual post-PBR egress interface when using WireGuard?
Did you ever confirm whether this is the cause? Or find a way to make NetFlow correctly reflect the actual egress interface when using Policy Based Routing?
I have opnsense Version 25.7.11_9 amd64 2e9ac2def
