Issue regarding static routes - redirect traffic to other gateway on lan

jtpagaran

(pls. note: I posted this on the 1.2.1 testing snapshots but I realized that this is were it's suppose to be.)

Good Day.

I have a pfsense 1.2 RC 1 box running perfectly, but there is a weird issue that we encounter when we tried to set a static route for a specific block of IP's to our co-location servers.

This is our network layout

isp 1              isp 2   
                  |                  |                 
                  |                  |
              (eth0.1)      (eth0.2)
      multi wan  router -linux box
                      |(lan-side 10.10.100.1/24)
                      |
                      |
                      |(wan-side 10.10.100.2/24)
          Pfsense 1.2.RC 1 -NAT/Traffic Shapper/Squid/DHCP services turned ON
                      |(lan-side 192.168.1.1/24)
                      |
                      |
                      |
              Lan switch
                  |  |    |____(192.168.1.3) Cisco router@office–--(leasedline)- ---cisco@datacenter1----servers
                  |  |
                  |  |________(192.168.1.2) Cisco router@office---(leasedline)- ---cisco@datacenter2----servers
                  |
                  |
                  | 
          PC's 192.168.1.0/24 -GW 192.168.1.1

My Static rules in Pfsense are:

Traffic to ip's to datacenters servers1 (all devices routes are configured) will be sent to gateway 192.168.1.2

Traffic to ip's to datacenters servers2 (all devices routes are configured) will be sent to gateway 192.168.1.3

Now my problem  is that whenever a sessions/connections are made (paticularly ssh) on the servers in the datacenter 1 & 2 ….
we encounter drop connections (our ssh sessions disconnects after couple of minutes connected).

Note: Our observation is when a traffic destined to datacenters are redirected/resolve by pfsense issue arise but when a pc has hardcoded routes to datacenters works  connections/sessions works perfectly. 
Does anyone encountered  issues like this in making Static routes pointing to different gateway inside the lan?

Thanks

jtpagaran

Good Day,

Until now we haven't figure it out why this issue exist. We even setup another box just to isolate hardware but still no success.

Our workaround was is just let the traffic pass thru our lan interface and set up Opt1 interface to handle routing to the next hop cisco router. This solves our problem though we have added some more routes on our cisco routers.

Anyway, hope someone will shed some light in this matter. I happy with the performance of my pfsense box but i still  hope to set my network base on my original layout.

Again Thank you and Good day.

funnymanva

Has there been any solution to this problem?  I have a similar situation where pfSense is our gateway/firewall with 3 WAN links.  I have a small subnet inside our LAN network that has it's own firewall/router exposed on the same address as the LAN interface (192.168.0.X).  The subnet is 192.168.1.X.  I setup a static route on pfSense so that all traffic destined for 192.168.1.X/24 is routed to 192.168.0.250 (the firewall/router of the .1 subnet).  From the pfSense shell I can ping 192.168.1.5 or any other .1 address fine.  When I'm on 192.168.0.50 (IP of a desktop on the pfSense LAN) I cannot ping 192.168.1.5.  I did a trace of the LAN interface on the pfSense box and the packets go there and then disappear.  When I do a traceroute from the 192.168.0.50 box to the 192.168.1.5 box, the first hop is out the default WAN connection.  I do not understand why pfSense is routing like this?  I would think that it would see the 192.168.1.5 address and send it to 192.168.0.250 from the defined static route.  I checked the pfSense netstat -r and it's set for the right interface and the right gateway, so the static route is correct.  Any ideas?

chr

Hi,

We have similar situation.
WAN –- PfS1 --- LAN1 (192.168.x.x) --- PfS2 --- LAN2 (172.20.x.x)

The default gateway of our LAN1 clients is the PfS1 lan address. But some clients (in LAN1) have to reach some pc-s in the LAN2. So we set up a static route on PfS1 like this: interface: LAN1 network:172.20.x.x gateway: 192.168.0.20 (PfS2 LAN1 interface address)
But when we do a traceroute the packets go through PfS1 towards WAN.
We use many things like carp and load balancer, maybe it is the problem.
I would appreciate any advice.
Thank you

chr

There is an option in system>advanced:
-Bypass firewall rules for traffic on the same interface

If we leave it unchecked, the ping packets are captured by the firewall lan rules, and because there was icmp rule in it, push the packates towards the WAN. If we checked the mentioned options, the firewall do not disturb the static route.

lboc

I had quite the similar problem and checking the checkbox for "Bypass firewall rules for traffic on the same interface" solved it perfectly.
I think it is a bug though, I do allow all traffic to flow between the internal networks yet large file transfers would stop after a while.