[FIXED] Policy based routing with "dynamic gateway policy" type gateways

Started by Maurice, March 29, 2021, 06:47:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 29, 2021, 06:47:49 PM Last Edit: April 26, 2021, 12:55:14 PM by Maurice
When creating a dynamic gateway and enabling "Dynamic gateway policy" on its interface, can it be used for policy based routing? The "gateway" has no IP address, the destination is directly reachable.

I can't get this working. Before digging deeper, some input whether this is actually supported would be nice.

"Doesn't work" means: When selecting the dynamic gateway in a firewall rule, the rule shown in pfInfo doesn't have a "route-to" option. When enabling "Skip rules when gateway is down" in the advanced firewall settings, the rule doesn't show up in pfInfo at all. That would suggest the gateway is considered down, but gateway monitoring is disabled and it is shown as online.

man pf.conf(5) suggests route-to doesn't require an IP address:

Code Select
The route-to option routes the packet to the specified interface with an optional address for the next hop.
https://www.freebsd.org/cgi/man.cgi?query=pf.conf

Background: I'm trying to get WireGuard PBR working without the "fake gateway IP address hack" suggested in the docs: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
@mimugmail once mentioned that dynamic gateway policy should work, but I couldn't find a confirmation that it actually does: https://forum.opnsense.org/index.php?topic=15105.msg86564#msg86564

Thanks!

Maurice

<edit>
This was indeed a missing feature and it's now fixed: https://github.com/opnsense/core/commit/cdf328078bd3e16e1f4beb9b0d6956595fb59c67
</edit>
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages1
User actions