Static route being ignored by pfsense



  • Hi,

    I'm new to pfsense and built a testsetup.
    I want to use it as an internal firewall, sitting behind my main firewall (which is connected to the internet) and some lans protected by pfsense

    All's working as expected:
    1 wan interface, effectively sitting in same subnet as the main firewall's internal lan
    1 lan interface, protecting some webservers on a simple /24 subnet

    Traffic is flowing nicely and I have successfully created some accessrules.

    However, do have a strange problem with static routes.

    I added 1 static route to the wan interface.
    Using the ping and traceroute utilities in the pfsense webinterface,
    I can reach hosts over that static route just fine.

    But, when a host on the other side of the static route tries to connect to pfsense's public interface,
    I see traffic coming in, but the reply packet gets sent out to the macaddress of the default gateway defined for the wan interface
    and not the macaddress for the gateway defined in the static route…

    I did some package captures and you can clearly see the destination macaddress change in the outgoing packet.

    Any ideas why this is happening?

    Thx, paul



  • I'm not sure if I understand your setup properly.

    But, when a host on the other side of the static route tries…

    What do you mean by "the other side of the static route"?

    Sounds like you are trying to provide split horizon connectivity for your machines behind the LAN interface by defining static routes on the WAN interface.

    I don't think it works like that. For traffic that is NAT-ed through pfSense, all routing decisions are defined in the NAT rules. So if you want split horizon connectivity for your systems behind the LAN interface, you will need two outside interfaces and the routing decisions of which interface to use for certain destination IP addresses will have to be defined in your NAT rules.

    Otherwise, in a simple LAN <–- NAT ---> WAN setup, traffic traversing the NAT engine will always get delivered to the default gateway defined on the WAN interface unless the destination of that traffic is a host on the same net as the WAN interface.



  • Hi,

    thx for the reply.

    @ssheikh:

    What do you mean by "the other side of the static route"?

    By "the other side of the static route" I mean the destination network the static route is pointing to.

    ==============================================================

    I'll try and describe my setup:

    main firewall connected to the internet LAN ip: 10.0.0.1/24
    pfsense WAN interface: 10.0.0.2/24 default gateway: 10.0.0.1
    pfsense LAN interface: 10.0.1.1/24

    there's another router on 10.0.0.0/24 I use as gateway to another network.
    It's LAN ip is 10.0.0.3/24

    The network I setup a static route for is 192.168.0.0/24

    route add -net 192.168.0.0 netmask 255.255.255.0 gateway 10.0.0.3

    ==============================================================

    From the pfsense box, I can ping and traceroute to any ip in 192.168.0.0/24 just fine.
    The next hop is 10.0.0.3 as defined in the static route.

    On the pfsense WAN interface I allow traffic in from 192.168.0.0/24 to port 80
    I can see in the firewall logs pfsense is accepting incoming packets from any ip in 192.168.0.0/24

    I'm not trying to connect to an ip on the LAN interface.
    I set pfsense up so that webadmin access is allowed on the WAN interface.
    But only for a list of specific subnets.
    I want to login to the pfsense webinterface via the ip on it's wan interface.
    That works when you're coming from anywhere behind it's default gateway, or from the same subnet as the wan interface.

    When an ip on 192.168.0.0/24 tries to connect to the wan interface, you can see it accept traffic,
    but responses are sent back to it's default gateway and not the gateway defined in the static route.

    Hope this makes more sense now
    Thx, Paul



  • You are right. It doesn't work for ssh either. Its probably because of pf that the routing rules are ignored.

    It does work on the LAN side.


Locked