Policy routing to access subnet of a gateway marked as down
-
Hi,
I'm using an usb LTE modem as one of my gateways. The modem is creating a usb-ethernet device and handling IP addresses - it's not used directly as a modem. Since my pfSense is virtualized I attached the modem as one of hypervisor interfaces. I then created another interface that is attached to pfSense VM and hypervisor is routing the traffic from that VM interface to modem usb-eth like this:
usb Modem [ 192.168.1.1/24 ] - vmbr4 [192.168.234.1/24 ] - pfSense
This usb modem is a Tier 2 backup connection in my gateway group and is using CF servers to monitor availability - this works as intended. I additionally create a special policy route to always route 192.168.1.1/24 network via vmbr4 attached to pfsesne. This way I can access modem webUI. This also works fine.
Problems arrive when modem is experiencing packet loss. In this scenario gateway monitoring is marking it as down and I can't access the web UI on 192.168.1.1 network, despite it being available. Is there a way to force such policy routing to be working despite of gateway being marked as down?
-
Also - currently I have a poor man's workaround to reset the modem remotely - I just disable GW monitoring action - this brings back routing to 192.168.1.1/24 - I then can reboot the modem from webui and it comes back to life. Also I can do a socks proxy via ssh from hypervisor.
I'm just asking - I might have missed some clever way to bypass this proper and intended routing behavior :)
-
@beefer said in Policy routing to access subnet of a gateway marked as down:
usb Modem [ 192.168.1.1/24 ] - vmbr4 [192.168.234.1/24 ] - pfSense
This usb modem is a Tier 2 backup connection in my gateway group and is using CF servers to monitor availability - this works as intended. I additionally create a special policy route to always route 192.168.1.1/24 network via vmbr4 attached to pfsesne. This way I can access modem webUI. This also works fine.Not clear, why you need a policy routing rule to access the modem at all.
If pfSense has an IP within the modem subnet on its interface attached to vmbr4, the modem should be accessible anyway. -
@viragomann great question :) I made a mistake in the description - hyprervisor is doing NAT for the modem: pfSense on vmbr4 has a static IP 192.168.234.2 and is using 192.168.234.1 as gateway. 192.168.234.1 is NATing packets to 192.168.1.1. This looks like a good place to optimize :D
-
@beefer said in Policy routing to access subnet of a gateway marked as down:
hyprervisor is doing NAT for the modem
Why?
Simply add it to a bridge which hasn't any network settings and also the pfSense interface is a member of.pfSense on vmbr4 has a static IP 192.168.234.2 and is using 192.168.234.1 as gateway. 192.168.234.1 is NATing packets to 192.168.1.1.
With NAT, maybe it works, when you simply add a static route for 192.168.1.1/32 or 192.168.1.1/24 in System > Routing.
If not, there is an option "System > Advanced > Miscellaneous > Skip rules when gateway is down", which prevents that rules are spiked on gateway failure. But this affects all your rules and this might not be desired for others.
-
hyprervisor is doing NAT for the modem
Why?
Simply add it to a bridge which hasn't any network settings and also the pfSense interface is a member of.I was trying to create a bridge in proxmox, but it did not work with a usb ethernet device for some reason.
With NAT, maybe it works, when you simply add a static route for 192.168.1.1/32 or 192.168.1.1/24 in System > Routing.
I'll definitely test that :)
If not, there is an option "System > Advanced > Miscellaneous > Skip rules when gateway is down", which prevents that rules are spiked on gateway failure. But this affects all your rules and this might not be desired for others.
Yeah, this would be problematic - got a ton of policy routing rules :)
-
@beefer said in Policy routing to access subnet of a gateway marked as down:
I was trying to create a bridge in proxmox, but it did not work with a usb ethernet device for some reason.
I would try to pass-through the USB device in its entirety if it's compatible with pfSense.
-
@viragomann I think this is the best approach. Initially I thought I would like to route other vms through it, but pfsense is taking care about all the traffic, so I'll definitely try this out :)