Static routing not being used



  • first some explanation on the configuration
    we're using pfsense 2.3.1

    Server <–> pfSense <--> Internet

    right now I'm trying to route a specific ip address to another router from the pfsense so it goes

    server1 (192.168.x.x) <--> (192.168.x.x) pfSense (x.x.x.2) <-------
                                                                        |                            |
                                                                        |                            ---- >(x.x.x.1) InternetGW <---> IpSecRouter2 (y.y.y.y) <--> Server2 (z.z.z.z)
                                                                        |                            |
                                                          IPSec Router1  (x.x.x.20)<----

    The internet for pfsense and router2 is the same
    Server1 has public IP with 1-1 NAT on pfsense
    IpSec router1 is used to encrypt the traffiic between server1 and server 2 using ip Sec tunneling
    ipsec router1 doesn't do any NAT
    the ipsec tunnel is formed between the ipec router1 and ipsecrouter2
    a static route to ip the server ip (z.z.z.z) is added on the pfsense to use ipsecrouter1 as the gateway

    but after setting a static route in pfsense, the traffic is not routed to the ipsecrouter1, I tried setting policy based routing as well but traceroute from the server shows it's still using the default gateway as the route

    how should i route the traffic to ipsecrouter1 from pfsense ?



  • Assuming pfSense, the InternetGW, and IPSec Router1 all share IP addresses on the same subnet, which it looks like they do, you need to add IPSec Router1 as an additional gateway in pfSense.  If that is already done, and your routing is still not working as planned, try using firewall rules to do the routing instead of static routes.  To do that you set the rule on the pfSense interface in 192.168.x.x.  The source should be the IP address of server1.  Destination should be the IP address of Server2, and gateway should be the gateway corresponding to the IP address of IPSec Router1.  Make sure that rule comes before your default rule on that interface, which presumably routes all outbound traffic through InternetGW.

    In pfSense lingo this is known as "policy based routing."

    EDIT:  NM, I see that you've tried policy based routing.  In that case, make sure your rules are in order.



  • I tried putting the routing rules on top just below the default anti lockout rule but it's still not routing it through (screenshot attached) , just to test I tried changing the default gateway on pfsense wan interface to ipsecrouter1 and I lost internet connection, pfsense would not use the gateway and traceroute just returns * * *

    I also tested with a another server using public ip (no nat) and just adding a static route using the ipsec router1 ip as gateway and it worked as expected. so the ipsec router1 configuration is working




  • manage to get it working using static route, I had to remove the gateway from the WAN Interface, then the static route is being used properly, is this how it's supposed to be configured ? I didn't find anything regarding the removal of the gateway from the WAN Interface in order for the static route to be used properly

    I also had to manually add a NAT rule when I removed the gateway from the WAN interface for regular internet traffic to work

    my previous test of using the ipsec router as gateway wasn't working because I had the IpSec Router1 ip as a virtual IP on the pfsense, once i removed it traffic flowed as expected

    on another case, policy based routing is still not working, but that's a different problem


  • Netgate

    When an interface has a gateway set on it it is considered to be a WAN. That means that all connections (states) coming into that interface get reply-to back to that gateway. It also means that all outbound connections get route-to to that gateway.

    What you need to do is place a floating rule on WAN outbound for the networks on the other side of the IPsec gateway with no gateway set.

    Any inbound rules on pfSense WAN should use the advanced option to disable reply-to.

    Not setting a gateway on the WAN interface would also be an option. That should work until Multi-WAN interfaces are involved. In that case you need reply-to and route-to to override the default gateway/routing table.