{solved with suggestion] policy based routing to the rescue?

Started by senser, February 05, 2025, 03:10:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 05, 2025, 03:10:03 PM Last Edit: February 06, 2025, 03:02:48 PM by senser
Greetings,
this archived forum post is what I am currently wish to solve. Some good suggestions in that thread but they seem to behave weird for me.

For example, if you select multiple (inverted) destination aliases on a quick rule:
You cannot view this attachment.
Code Select
pass in log quick on home inet proto {tcp udp} from {(home:network)} to !$Private keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic
pass in log quick on home inet6 proto {tcp udp} from {(home:network),fe80::/10} to !$Private keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic
pass in log quick on home inet proto {tcp udp} from {(home:network)} to !$Blocked keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic
pass in log quick on home inet6 proto {tcp udp} from {(home:network),fe80::/10} to !$Blocked keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic
pass in log quick on home inet proto {tcp udp} from {(home:network)} to {!(self)} keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic
pass in log quick on home inet6 proto {tcp udp} from {(home:network),fe80::/10} to {!(self)} keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic
pass in log quick on home inet proto {tcp udp} from {(home:network)} to {!(home:network)} keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic

The result is probably not as intended, because the "!$Private" rule will pass traffic that the "!$Blocked" would block for example.

So it seems you should create a new alias that contains all the other aliases...but:

Isn't the "better" solution to use a "policy based routing" rule? Eg. using a "allow all via wan gateway" rule on those interfaces? That should only allow internet access afaik? Are there any problems with that solution?

Or would that possibly route some local traffic to wan as well? Thats at least what the "routing" part would suggest...


Thank you
February 05, 2025, 08:09:08 PM #1 Last Edit: February 06, 2025, 09:26:52 AM by senser
The policy based routing rule did not work as a solution (as you may have suspected). Basically it was a allow all rule that routed all traffic to the wan (including everything that would normally route to local networks). XD

So I created a nested alias and using that works as expected.

But shouldn't a selection of multiple target aliases create a new alias automatically?
The problem is: You see one rule in the UI but get multiple rules in the back which behave differently than expected.
Either that, or all the created rules should be visible in the UI as well.

@Franco is this something you would agree to?
Print
Go Up Pages1
User actions