Packets from self ignore gateway policy

[clarknova]

OPNsense 21.1.8

I have configured a gateway group with LAN rules that use the gateway group. This works fine.

I have also configured a floating rule in the Out direction and no interface to accomplish the same thing for traffic originiating from OPNsense itelf. For some reason traffic matches the rule and is logged as expected, but does not use the designated gateway. Why is this?

edit: sorry, I posted this in the preprod section by accident. Maybe somebody can move it to prod?

[mimugmail]

Only for direction in, you cant handle local initiated packets

[clarknova]

Only for direction in, you cant handle local initiated packets

But it works for automatically generated rules, right? Even if I change my source from This Firewall to an interface address, it still doesn't work. The only difference I see at this point (if I disable logging) is that the automatic rule uses a single gateway and my rule uses a gateway group.

Code: [Select]

root@LDC01A:~ # pfctl -sr | grep em0_vlan910|grep "pass out"
pass out route-to (em0_vlan910 10.100.2.254) inet from (em0_vlan910) to ! (em0_vlan910:network) flags S/SA keep state allow-opts label "b063dd13c292c33ec96318589a8e95f4"
pass out route-to (em0_vlan910 10.100.2.254) sticky-address inet from (em0_vlan910) to <tdc01lan> flags S/SA keep state label "d86945c81601734ff34ae06caeb54e6e"

[franco]

It has always been this way, made "worse" by shared forwarding that does not allow pf to bypass the network stack (and ipfw the other firewall therein).

Coincidentally, a commit made it to FreeBSD just a few days ago:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257106

At this point, however, it is unclear how well it works and if it works with shared forwarding at all.


Cheers,
Franco