Static routes puzzling me, inconsistent behaviour

hoba

Try to enable the following option at system>advanced: "Static route filtering: Bypass firewall rules for traffic on the same interface "

tacfit

Thanks, I'm afraid that's already enabled.

hoba

Are you using policybasedrouting/loadbalancing on that system as well?

tacfit

No sir, not on that one.

hoba

Do yo use IPSEC on that system? If yes is there a tunneldefinition that is conflicting with a subnetrange of your routes? Also if so did you setup static routes for ipsec traffic? Or what is that comment for the one route that is cut off in that screenshot?

tacfit

Sorry, what I am thinking… the previous question regarding loadbalancing... YES we do. I've been working on a few separate problems today and so I got confused which firewall I was talking about. Sorry hoba, we do have load balancing in place, some firewall rules look at the load balancer, others the default routing (as is common).

@hoba:

Do yo use IPSEC on that system? If yes is there a tunneldefinition that is conflicting with a subnetrange of your routes? Also if so did you setup static routes for ipsec traffic? Or what is that comment for the one route that is cut off in that screenshot?

No IPSEC. (I'm sure of it :) )

hoba

If you have loadbalancer rules they redirect the traffic somewhere before it hit's the systems routingtable. To prevent this from happening create a networksalias with all your remote subnets (like the ones that you have in the routingtable or openvpn or ipsec subnets as well). Then create a firewallrule on top of all your other lan rules like "pass, protocol any, source any, destination <remote-networks-alias>, gateway default. Does it work now? This can be espacially tricky and needs to be done if you are working with loadbalance anything rules at the bottom of your firewallrules.</remote-networks-alias>

tacfit

booyah! That works perfectly.

It makes sense why that's necessary, but I would really have thought static routes would get processed first. What is the issue there? Is it something I could create a bounty for someone to look into modifying, or is that an OS kinda thing?

hoba

If we would autoadd rules for static routes it would not be possible anymore to add blocks on them. Nothing that can be solved with a bounty. The firewallrules are processed first before the routingtable is hit. This is just something that you have to know.

tacfit

Fair enough.

Thanks a lot hoba, your knowledge is much appreciated.