diag_traceroute
-
Hmmmm when using
mtr -a <SOURCE IP WAN2> <TARGET>from command line
I still see my 'WAN' Interface as Source when checking Diagnostics > States
Any idea?-Rico
-
Sorry for not being clear: The mtr path looks like the correct one, it is really sourcing my WAN2.
Just curious the states show WAN Interface...-Rico
-
The state already existed?
You have a specific route to the target via WAN1?
You would not normally have outbound NAT for WAN2 from WAN1 so it would fail.
Does a pcap show it actually leaving WAN2?
Steve
-
Hi Steve, thanks for your reply.
@stephenw10 said in diag_traceroute:
The state already existed?
No existing state before my MTR testing, I can reproduce this with any target anyway.
@stephenw10 said in diag_traceroute:
You have a specific route to the target via WAN1?
No, the target can be any random Internet host.
System > Routing > Static Routes
is empty.@stephenw10 said in diag_traceroute:
You would not normally have outbound NAT for WAN2 from WAN1 so it would fail.
I'm on Automatic outbound NAT with this pfSense installation.
@stephenw10 said in diag_traceroute:
Does a pcap show it actually leaving WAN2?
Yes, pcap show the MTR traffic leaving WAN2.
-Rico
-
Hmm, OK so in fact the state table is just showing it on the wrong interface? The traffic is actually leaving correctly...
Does it also show incorrect in
pfctl -ss?Steve
-
Yes it shows wrong in
pfctl -ss(igb0 (WAN)).
Hmmm maybe because my Default gateway IPv4 is a Gateway group with WANGW Tier 1 and WAN2GW Tier 2?
The system is in production with a lot of traffic, I can't poke around there and play with the Gateways atm.-Rico
-
I just tried in my home lab with the same weird behavior.
It has nothing to do with the gateway group, same happens with Default gateway IPv4 set to automatic or WANGW.
When switching Default gateway IPv4 to WAN2GW the state shows correct of course, but the problem is just vice versa when sourcing MTR from the WAN IP, it's showing WAN2 in states.-Rico
-
Hmm, if you put a floating outbound block rule on WAN1 for the target IP does it actually block it?
-
Yeah it's blocked then and MTR showing
mtr: Unexpected mtr-packet error-Rico
-
Hmm, so pf is actually seeing that traffic on WAN1 even though it's leaving WAN2?
Not sure how that could happen...
What hardware are you testing that on? What are the WAN interfaces there?
Steve
-
The system in production I've seen this first is SG-5100 with WAN igb0 and WAN2 ix1.
My lab testing is VMware.-Rico
