Deleting disabled static route clobbers route in route table breaks vpn traffic



  • Scenario

    Openvpn with list of remote networks.

    While chasing down a MSS issue, causing packet loss and retransmission, we decided to send traffic for one remote network via different gateway (another pfsense/openvpn virtual instance)

    Setup the gateway, added static route, traffic goes that way.

    Figure out mssfix after testing with mtu-test, decide to bring traffic back.

    Disable the static route, which drops that route from routing table. Have to restart openvpn instance to recreate route for that traffic over openvpn.

    Traffic flowing nicely.

    Later, decide to clean up now disabled route, bam, route deleted from routing table, traffic goes nowhere.

    Hey!
    a) That route was already disabled, deleting a disabled rule shouldn't fiddle with routing table at all
    b) That route wasn't yours to fiddle with static routing table. It was created by openvpn up, not you, leave it alone.

    Have to restart openvpn again to recreate route for traffic within vpn.  More screaming users.  :-[

    Is this an edge case that hasn't been considered, or are we driving this thing wrong?

    a) Seems like an easy fix - if rule disabled, don't alter routing table.
    b) Is harder, have to track originating source of routes on routing table, or at least check if any enabled, active, up openvpn instances specify that remote networks route.


Log in to reply