PfSense does strange IPv4 source address pick

eshield

Hello,

Yesterday I've upgraded my box to 2.3.2_1 and noticed that DNS (static route to 10.129.124.45) server on other side of VPN is not accessible from the box itself.

Debugging logs:
ping from the box (lan):

[2.3.2-RELEASE][root@gw-1]/root: ping 10.129.124.45
PING 10.129.124.45 (10.129.124.45): 56 data bytes
^C
--- 10.129.124.45 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

tcpdump from remote (DNS) side:

15:59:10.065206 IP 0.0.0.0 > 10.129.124.45: ICMP echo request, id 47750, seq 0, length 64
15:59:11.069817 IP 0.0.0.0 > 10.129.124.45: ICMP echo request, id 47750, seq 1, length 64
15:59:12.068719 IP 0.0.0.0 > 10.129.124.45: ICMP echo request, id 47750, seq 2, length 64
15:59:13.069774 IP 0.0.0.0 > 10.129.124.45: ICMP echo request, id 47750, seq 3, length 64

Nice! a 0.0.0.0 as a source!

ping from any lan pc:

C:\Users\test_user>ping 10.129.124.45

Pinging 10.129.124.45 with 32 bytes of data:
Reply from 10.129.124.45: bytes=32 time=71ms TTL=63
Reply from 10.129.124.45: bytes=32 time=70ms TTL=63
Reply from 10.129.124.45: bytes=32 time=71ms TTL=63
Reply from 10.129.124.45: bytes=32 time=70ms TTL=63

Ping statistics for 10.129.124.45:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 70ms, Maximum = 71ms, Average = 70ms

ping from the box with source address specified:

[2.3.2-RELEASE][root@gw-1]/root: ping -S 172.16.0.205 10.129.124.45
PING 10.129.124.45 (10.129.124.45) from 172.16.0.205: 56 data bytes
64 bytes from 10.129.124.45: icmp_seq=0 ttl=64 time=69.731 ms
64 bytes from 10.129.124.45: icmp_seq=1 ttl=64 time=71.203 ms
64 bytes from 10.129.124.45: icmp_seq=2 ttl=64 time=71.071 ms
64 bytes from 10.129.124.45: icmp_seq=3 ttl=64 time=70.432 ms
^C
--- 10.129.124.45 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 69.731/70.609/71.203/0.585 ms

[2.3.2-RELEASE][root@gw-1]/root: netstat -4rn
Routing tables

Internet:
Destination        Gateway            Flags      Netif Expire
default            78.40.189.1        UGS      pppoe0
10.129.124.45/32   00:bd:3c:df:00:03  US       ovpnc3
78.40.189.1        link#7             UH       pppoe0
8.28.2.5     link#7             UHS         lo0
127.0.0.1          link#4             UH          lo0
172.16.0.0/24      link#6             U           hn1
172.16.0.205       link#6             UHS         lo0
172.22.1.0/29      link#11            U        ovpnc3
172.22.1.3         link#11            UHS         lo0

after Disable/Enable static route:

[2.3.2-RELEASE][root@gw-1]/root: netstat -4rn
Routing tables

Internet:
Destination        Gateway            Flags      Netif Expire
default            78.40.189.1        UGS      pppoe0
10.129.124.45/32	172.22.1.1	UGS	66	1500	ovpnc3
78.40.189.1        link#7             UH       pppoe0
8.28.2.5     link#7             UHS         lo0
127.0.0.1          link#4             UH          lo0
172.16.0.0/24      link#6             U           hn1
172.16.0.205       link#6             UHS         lo0
172.22.1.0/29      link#11            U        ovpnc3
172.22.1.3         link#11            UHS         lo0

What it can be? Dun remember facing this issue back in the past. Looks like static route been set up before vpn connection.