Problem with System: Static Routes
-
Sorry I may be being a bit thick here but how can the gateway be on a different network to the NIC. Surly the gateway must be in the 172.16.254.0/24 network
if I set my gateway 172.25.55.253 directly at my client box, I able to connect to my 172.16.254.0/24 network, so I thing it must be my pfsense route which not working.
-
You can not set a gateway to an IP address that is NOT on your network!! NEVER work in a MILLION YEARS!!
And for starters windows would scream at you if you tried, and so would linux I do believe
see attached image of example of windows screaming at you for wrong gateway.
Please layout this network for us – why do you feel that you need to talk to a 172.25.55.253 to get off your lan if your network is 172.16.254.0/24 ??
You do not need a gateway to talk to anything on the 172.16.254.0/24 you have a interface directly on that network - do you not.
As to those IPv6 routes, those are local-link addresses, and are meaningless - and to be honest I don't believe they even show up unless you installed the IPv6 build of pfsense, Im installing a non ipv6 build not to verify..
Please layout your network for us so we can help you!!
edit: ok just verified with a old 2.0 beta vm, and yeah the ipv6 local-link routes are there, but they have NOTHING to do with anything to do at all with any ipv4 addresses or routing.
-
mynullvoid Drop to a shell and post the output of netstat -r please so we can see the actual routes. As has been previously said it seems likely that the pfsense box has no route back to the 172.25.55.253 device. You must have a gateway defined on the 172.16.254.0/24 network to reach the 172.25.55.0/24 network.
-
Can you show screenshots of your setup since its kind of hard to see where do you take this from?
Network Gateway Interface
172.16.254.0/24 mNet - 172.25.55.253 LAN -
if I set my gateway 172.25.55.253 directly at my client box, I able to connect to my 172.16.254.0/24 network, so I thing it must be my pfsense route which not working.
FreeBSD is more sane and less forgiving than other OSes, it will not ARP an IP that is not on a locally configured subnet, where Windows will (and maybe Linux though not sure on it). It's not a valid network configuration regardless, fix it so it is. Either move the router to an IP within an attached subnet, or add a VIP so it's within a local subnet.
-
Let me explain,
my pfsense box got 3 NIC:
WAN : pppoe
LAN : 172.25.55.102
OPT1 : 172.25.55.103via OPT1 it is connected to other bigger network of our main office, and I had create a bridge for LAN and OPT1.
If we set out a client gateway to be 172.25.55.253 which is connected via OPT1, the client able to access network 172.16.254.0/24 but all the traffic will be going out via our main office.
What I want is that my LAN traffic to use 172.25.55.102 as gateway where it will use my WAN access out; and only for certain destination IP, it should be routed via 172.25.55.253.
The funny part is that, I got it working fine before, until I did something, which I guess I upgrade the firmware.
If there are better way, please advise. Thank you
-
Bridge takes priority over routing.
-
@ermal:
Bridge takes priority over routing.
I need to bridge both my LAN and OPT1 otherwise how can I get my LAN machine to access via OPT1 network, since behind 172.25.55.103, this NIC is connected to a another bridge of 172.25.55.101 to 172.25.55.100.
-
I had remove the bridge, and connect the second link to a switch, and from the switch I connect to OPT1 to leaving alone just static route which are:
Gateway:
Name Interface Gateway Monitor IP Description
mNet OPT1 172.25.55.253 172.25.55.253 Alt GatewayRoutes:
Network Gateway Interface Description
172.16.254.0/24 mNet - 172.25.55.253 OPT1 Alt Exchange ADFirewall: I had set allow any to any
If I still have 172.25.55.102 as the client gateway, I cant event reach 172.16.254.0/24, but if I change my gateway to 172.25.55.253 then only I can reach it.
What else could go wrong on the routing?
-
So anyone want to respond? at early thread there were many advise, when I narrowed at the routing problem, suddenly no takers, like I said my config worked in 1.2.3 until beta 5, l didn't update until lately.
I even fresh install it and the routing doesn't work at all.
-
"I had remove the bridge, and connect the second link to a switch, and from the switch I connect to OPT1 to leaving alone just static route which are:"
This makes NO SENSE!!! And what is connected to the switch? Why would you connect the switch to OPT1
Why would you not just connect your LAN interface to the switch. You have the same network on 2 different interfaces on your pfsense box that are no longer bridged? How are you going to get anywhere?
Please LAYOUT YOUR NETWORK!!! You clearly have multiple devices connected to lan, and then multiple devices connected to opt1 that was the same network. Then you bridged these interfaces which made no sense in the first place.
Lets see a drawing your network! Before I made this out sofare - which makes no masks btw.
Now you removed the bridge and what IP did you give opt1 and looks like you created a gateway???
finish this drawing that is attached spelling out the IPs and masks of your interfaces and what this 172.25.55.253 device is – can we see the routes on it? Why were you bridged before??
When asked for your routes -- how about a screen shot of your routes page, or the output of netstat -r like asked for before.
So finish/fix the drawing of your network in its current setup and lets see output of your routes from netstat -r or screen shot of your routes page.
I would love to help you - but need to understand your network first.
-
when I said I remove the bridge is because, I was told that 'Bridge takes priority over routing', so I try the work around. anyway, these are some information requested, do ask for me to give further so that I can get my network running as I should.
+–-+
| | LAN: 172.25.55.102/24
| p |=======================
| f | 172.25.55.253/24
| s | +---+
| e | OPT1: 172.25.55.103/24 | r |
| n |======================(172.25.55.101 bridge 172.25.55.100)===| o |
| s | | u | 172.16.254.0/24
| e | | t |==========
| | WAN : pppoe | e |
| |====================== | r |
+---+ +--+Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
0.0.0.0 link#1 U 0 0 rl0 =>
default 219.93.218.177 UGS 0 2698865 pppoe0
60.53.xxx.xx link#9 UHS 0 0 lo0
localhost link#5 UH 0 316 lo0
172.16.254.0 172.25.55.253 UGS 0 506 rl1
172.25.55.0 link#3 U 0 3460459 re0
firegate link#3 UHS 0 0 lo0
172.25.55.103 link#2 UHS 0 0 lo0
isp1.in.box.net 219.93.xxx.xxx UGHS 0 12539 pppoe0
isp2.in.box.net 219.93.xxx.xxx UGHS 0 11938 pppoe0
219.93.xxx.xxx link#9 UH 0 63391 pppoe0Internet6:
Destination Gateway Flags Netif Expire
localhost localhost UH lo0
fe80::%rl0 link#1 U rl0
fe80::227:19ff:fef link#1 UHS lo0
fe80::%rl1 link#2 U rl1
fe80::227:19ff:fef link#2 UHS lo0
fe80::%re0 link#3 U re0
fe80::214:2aff:fec link#3 UHS lo0
fe80::%lo0 link#5 U lo0
fe80::1%lo0 link#5 UHS lo0
fe80::%pppoe0 link#9 U pppoe0
fe80::227:19ff:fef link#9 UHS lo0
ff01:1:: fe80::227:19ff:fef U rl0
ff01:2:: fe80::227:19ff:fef U rl1
ff01:3:: fe80::214:2aff:fec U re0
ff01:5:: localhost U lo0
ff01:9:: fe80::227:19ff:fef U pppoe0
ff02::%rl0 fe80::227:19ff:fef U rl0
ff02::%rl1 fe80::227:19ff:fef U rl1
ff02::%re0 fe80::214:2aff:fec U re0
ff02::%lo0 localhost U lo0
ff02::%pppoe0 fe80::227:19ff:fef U pppoe0 -
I thought you said you removed the bridge? How do you expect anything connected to lan to get to something connected to opt1 when you have not changed the network connected to the interface.
Where is this switch you said you connected? Breakout a crayon or something and actually DRAW your network.
I fail to understand the need for the same network on 2 different interfaces? Why don't change your opt1 network to say 172.25.54.0/24 and then couple simple routes on your pfsense and other router and everyone would be happy.
pfsense
172.16.254.0/24 172.25.54.253 via opt1router
172.25.55.0/24 172.25.54.103 via ethX
-
<<forget about="" i="" remove="" the="" bridge="" and="" switch="" stuff="" -="" because="" just="" experimenting="">>
The OPT1 is connected a bigger network of 172.16.254.0/24, 192.168.2.0/24 and some other network subnets.
My network IP was given by my HQ IT to use 172.25.55.0/24 and I was asked to create routes via 172.25.55.253 as gateway.
The issue now is how could I route for certain predefined destination IP to use OPT1 gateway which is 172.25.55.253? </forget>
-
http://doc.pfsense.org/index.php/What_is_policy_routing%3F
What is policy routing?
Policy routing in pfSense refers to the capability of routing traffic by matching it to specific firewall rules. Each firewall rule allows you to select a gateway. If none is selected, traffic goes out your WAN interface. If you have any additional WAN interfaces (OPT WAN), or gateway load balancing or failover pools, you can select these in the Gateway field when adding or editing rules to direct matching traffic as you desire.What firewall rules we are talking about?
Anyway, can anyone help me out? I had designed my network, here
-
If your going continue to run with that network setup then it seems to me your running a router on a stick.. Ie you have devices connecting via interface X, just for the router to send traffic back out interface X to got next hop but without the vlans.
If you back to your bridged setup, then I would say you just need the correct route on your pfsense box, before you had it set to lan as interface. But 172.25.55.253 is not on lan its on opt1.
So your route should of been
172.16.254.0/24 172.25.55.253 via opt1 or possible your br0. I don't have a lot of exp with bridges to be honest, have not used them since late 90's ;) Other than a wireless ones to change from wireless to wired, etc.
But when you create a bridge would you not just have 1 ip address for the br0?? Again I don't work with bridges much. Never seen the need on router ;) With a router you would route not bridge - and if you were going bridge you wouldn't need to route over the bridge.
