pfSense Gold Subscription

Author Topic: Local traffic on a VLAN with a remote gateway  (Read 430 times)

0 Members and 1 Guest are viewing this topic.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 13869
  • Karma: +1274/-274
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Local traffic on a VLAN with a remote gateway
« Reply #15 on: August 12, 2017, 08:35:22 am »
And what is your desktop rules?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- If I have helped you, applaud me is nice cheap way to say thanks!
- if you want to say bigger thanks https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RC Oct 19 17:56:10 VM running on esxi 6.5 (home)

Offline FauxShow

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +2/-0
    • View Profile
Re: Local traffic on a VLAN with a remote gateway
« Reply #16 on: August 12, 2017, 01:16:07 pm »
Wide open:

brb; gotta reboot my pfsense

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 8850
  • Karma: +1014/-302
    • View Profile
Re: Local traffic on a VLAN with a remote gateway
« Reply #17 on: August 12, 2017, 03:50:31 pm »
IPsec to destination 0.0.0.0/0 is a significant hurdle. That is generally reserved for things like mobile IPsec clients.

Your reply traffic from the PROXY network is probably going out that IPsec tunnel since it matches the traffic selector there.

A simple packet capture on the IPsec interface should confirm.

Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline FauxShow

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +2/-0
    • View Profile
Re: Local traffic on a VLAN with a remote gateway
« Reply #18 on: August 12, 2017, 10:16:41 pm »
How should I be setting it up? Rules for the local subnet(s) with no gateway specified and then a catch-all for everything else could work, but what do I set that gateway to?
brb; gotta reboot my pfsense

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 8850
  • Karma: +1014/-302
    • View Profile
Re: Local traffic on a VLAN with a remote gateway
« Reply #19 on: August 12, 2017, 10:41:48 pm »
I can't think of a good workaround.

Like I said, IPsec to destination 0.0.0.0/0 is troublesome if that is not really what you want.  And in your case it is not what you want because you want to carve out exceptions to that.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline FauxShow

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +2/-0
    • View Profile
Re: Local traffic on a VLAN with a remote gateway
« Reply #20 on: August 12, 2017, 10:59:44 pm »
So I should submit a bug then, right? More of a new feature I guess.

We are able to do this with Cisco ASAs btw. It's not like I'm just making up networking concepts.
brb; gotta reboot my pfsense

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 8850
  • Karma: +1014/-302
    • View Profile
Re: Local traffic on a VLAN with a remote gateway
« Reply #21 on: August 13, 2017, 04:02:44 am »
Not a bug.

When we get routed IPsec in 2.5-ish it might be possible.

Use an ASA then I guess. FreeBSD IPsec traffic selectors work how they work at this time.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 13869
  • Karma: +1274/-274
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Local traffic on a VLAN with a remote gateway
« Reply #22 on: August 13, 2017, 04:56:51 am »
@derelict not getting why this should be an issue.. There are direct routes in play for the local networks - why would it force it down the tunnel..  Should only go do the default route tunnel if there is no more direct route.

@fauxshow - why not just do with openvpn vs ipsec?  Then you do a simple policy base routing.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- If I have helped you, applaud me is nice cheap way to say thanks!
- if you want to say bigger thanks https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RC Oct 19 17:56:10 VM running on esxi 6.5 (home)

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 8850
  • Karma: +1014/-302
    • View Profile
Re: Local traffic on a VLAN with a remote gateway
« Reply #23 on: August 13, 2017, 04:59:25 am »
Because the traffic selectors are hit before the routing table. They have no concept of states or anything like reply-to.

He has a selector source PROXY net dest any (0.0.0.0/0).

Reply traffic matches that so that's where it goes.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 13869
  • Karma: +1274/-274
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Local traffic on a VLAN with a remote gateway
« Reply #24 on: August 13, 2017, 05:32:27 am »
Ah.. Yeah that is a problem...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- If I have helped you, applaud me is nice cheap way to say thanks!
- if you want to say bigger thanks https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RC Oct 19 17:56:10 VM running on esxi 6.5 (home)