Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Static routing not being used

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adi.nugraha
      last edited by

      first some explanation on the configuration
      we're using pfsense 2.3.1

      Server <–> pfSense <--> Internet

      right now I'm trying to route a specific ip address to another router from the pfsense so it goes

      server1 (192.168.x.x) <--> (192.168.x.x) pfSense (x.x.x.2) <-------
                                                                          |                            |
                                                                          |                            ---- >(x.x.x.1) InternetGW <---> IpSecRouter2 (y.y.y.y) <--> Server2 (z.z.z.z)
                                                                          |                            |
                                                            IPSec Router1  (x.x.x.20)<----

      The internet for pfsense and router2 is the same
      Server1 has public IP with 1-1 NAT on pfsense
      IpSec router1 is used to encrypt the traffiic between server1 and server 2 using ip Sec tunneling
      ipsec router1 doesn't do any NAT
      the ipsec tunnel is formed between the ipec router1 and ipsecrouter2
      a static route to ip the server ip (z.z.z.z) is added on the pfsense to use ipsecrouter1 as the gateway

      but after setting a static route in pfsense, the traffic is not routed to the ipsecrouter1, I tried setting policy based routing as well but traceroute from the server shows it's still using the default gateway as the route

      how should i route the traffic to ipsecrouter1 from pfsense ?

      1 Reply Last reply Reply Quote 0
      • W
        whosmatt
        last edited by

        Assuming pfSense, the InternetGW, and IPSec Router1 all share IP addresses on the same subnet, which it looks like they do, you need to add IPSec Router1 as an additional gateway in pfSense.  If that is already done, and your routing is still not working as planned, try using firewall rules to do the routing instead of static routes.  To do that you set the rule on the pfSense interface in 192.168.x.x.  The source should be the IP address of server1.  Destination should be the IP address of Server2, and gateway should be the gateway corresponding to the IP address of IPSec Router1.  Make sure that rule comes before your default rule on that interface, which presumably routes all outbound traffic through InternetGW.

        In pfSense lingo this is known as "policy based routing."

        EDIT:  NM, I see that you've tried policy based routing.  In that case, make sure your rules are in order.

        1 Reply Last reply Reply Quote 0
        • A
          adi.nugraha
          last edited by

          I tried putting the routing rules on top just below the default anti lockout rule but it's still not routing it through (screenshot attached) , just to test I tried changing the default gateway on pfsense wan interface to ipsecrouter1 and I lost internet connection, pfsense would not use the gateway and traceroute just returns * * *

          I also tested with a another server using public ip (no nat) and just adding a static route using the ipsec router1 ip as gateway and it worked as expected. so the ipsec router1 configuration is working

          pfSenseLANRules.PNG
          pfSenseLANRules.PNG_thumb

          1 Reply Last reply Reply Quote 0
          • A
            adi.nugraha
            last edited by

            manage to get it working using static route, I had to remove the gateway from the WAN Interface, then the static route is being used properly, is this how it's supposed to be configured ? I didn't find anything regarding the removal of the gateway from the WAN Interface in order for the static route to be used properly

            I also had to manually add a NAT rule when I removed the gateway from the WAN interface for regular internet traffic to work

            my previous test of using the ipsec router as gateway wasn't working because I had the IpSec Router1 ip as a virtual IP on the pfsense, once i removed it traffic flowed as expected

            on another case, policy based routing is still not working, but that's a different problem

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              When an interface has a gateway set on it it is considered to be a WAN. That means that all connections (states) coming into that interface get reply-to back to that gateway. It also means that all outbound connections get route-to to that gateway.

              What you need to do is place a floating rule on WAN outbound for the networks on the other side of the IPsec gateway with no gateway set.

              Any inbound rules on pfSense WAN should use the advanced option to disable reply-to.

              Not setting a gateway on the WAN interface would also be an option. That should work until Multi-WAN interfaces are involved. In that case you need reply-to and route-to to override the default gateway/routing table.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.