default gateway override route ?

rynstack · Apr 28, 2023, 5:29 PM

Hi, we have a single default gateway route but now have set up an alternate 2nd wan/lan for "DMZ" segmented type networks. I have been running into trouble with obtaining a route out to the internet from the new 2nd lan and came to the conclusion that the default route setting is what is causing this. presuming setting that to "automatic" is what we want now, rather than setting this as a static default gateway. firewall rules appear to be allowing traffic out of the interface on the lan side, but traffic to internet cannot find its route, pings are 100% loss; the wan interface can ping out to the internet, and traffic is coming in to the dmz lan host fine. traffic to other internal lans are working with defined FW rules.
thoughts, questions and/or comments welcome, thanks!

*side note- after some trial and error and testing of different options/configs, it seems the routing table is stuck with some config that has been removed [alternate gateways], and now is causing the dmz wan iface to not ping out anymore; i can see the test route still listed in the routes via diagnostics page. manual removal via command line is my best guess to remove unless it will fix itself after a reboot?

Netgate 1537 - Pfsesne+ v. 22.05 - planning on upgrading to 23.01 very soon

thanks again.

viragomann · May 1, 2023, 3:12 PM

@rynstack said in default gateway override route ?:

we have a single default gateway route but now have set up an alternate 2nd wan/lan for "DMZ" segmented type networks

You got a 2nd WAN connection with a different gateway and you want to route the upstream traffic of the DMZ out to this new WAN?

rynstack · May 1, 2023, 3:12 PM

@viragomann said in default gateway override route ?:

@rynstack said in default gateway override route ?:

we have a single default gateway route but now have set up an alternate 2nd wan/lan for "DMZ" segmented type networks

You got a 2nd WAN connection with a different gateway and you want to route the upstream traffic of the DMZ out to this new WAN?

yes, that is correct @viragomann

johnpoz · May 1, 2023, 3:47 PM

@rynstack this would be a policy route, via firewall rule you can push traffic out any specific gateway you want.

https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html

rynstack · May 1, 2023, 6:20 PM

@johnpoz thanks for the note and ref, I did play with that option before when troubleshooting early on, but was still having some problems with it, though I'd like to try it again some more [it was allowing traffic out when viewing logs, but getting stuck beyond the virtual child interface out to the public for some reason]. granted I did make changes while testing afterwards, still came to the same problem I'm having now, but there may be additional config needed for that to work properly in our setup.
so technically, policy routing should resolve this issue and no adjustment would be needed to the system default route settings?

One downside I found after trying that and some other things during testing, is a gateway listed in the routing table is stuck with the gateway IP I want to use pointing at a wrong MAC address [alternate virtual interface] - so now i cannot seem to fix it or use that IP as a gateway now. the gateway is marked as down, though its up on the correct physical interface, even after removing and re-adding from the the system gateway list. concerned some stale config is conflicting with getting this to work properly since the beginning. any advice on how to manually remove the problem gateway from the routing table without affecting other networks or the entire running system is welcome! thanks in advance.
edit=uploaded image example

viragomann · May 1, 2023, 6:57 PM

@rynstack
Did you accidentally assign the same subnet to different interfaces by any chance?
Check out Status > Interfaces.

rynstack · May 1, 2023, 7:15 PM

@viragomann thanks for the check - here's what I can see currently, this virtual interface for 10.86.151.1 still has the problematic gateway assigned to it, but in the interface config its not set. I checked subnets of all interfaces and they are all unique, but the problem gateway IP is listed for 2 interfaces. bug?

viragomann · May 1, 2023, 7:31 PM

@rynstack
Strange. Chiefly as the gateway is outside of the subnet.

What shows System > Routing > Gateways?

rynstack · May 1, 2023, 9:59 PM

@viragomann basic default route and the problem GW, which I have removed, re-added, disabled, enabled twice but no change.

rynstack · May 1, 2023, 10:15 PM

i just "re-saved" the interface [10.86.151.1] again with no change / no gateway and it fixed itself!

rynstack · May 1, 2023, 11:06 PM

thanks so much for the help @viragomann and @johnpoz , I seem to have a working route out now with FW rules using policy route!