[QUITE SOLVED] Static route problem



  • Hi everyone,
    I have a problem with routing. The schema below describe how i configured my network. The default gateway for pfsense2 is 172.16.1.1 (LAN interface of pfsense1)
    On pfsense2, i add a static route to the network 172.17.0.0/24 via 172.16.1.3 in order to avoir some internal traffic on pfsense1. The "simple router" also has a route to 172.16.0.0 via 172.16.1.2. pfsense1 can also correctly route packets for 172.17.0.0/24 network (via simple router)
    "Simple router", pfsense1 LAN interface and pfsense2 WAN interface are connected on a switch (wich makes not any IP routing operation).

    The problem is that if the PC behind LAN2 (172.16.0.5) pings PC behind "Simple router" (172.17.0.5), traffic is correctly routed : icmp request and reply does not pass through pfsense1. So, static route works fine…

    But, if the PC behind "Simple router" (172.17.0.5) pings PC behind LAN2 (172.16.0.5), traffic is not correctly routed :

    • icmp request pass through "simple router" and then pfsense2 (normal)
    • icmp reply pass through pfsense2, then pfsense1 and finally via "simple router", which is not correct because of the static route that i defined on pfsense2.

    What am i doing wrong ?



  • You have to create a static route on the "simple router" as well.



  • the route on "simple router" is created. and the problem is not here. the icmp reply arrives on this router after it cames on pfsense1 :
      - reply goes first on pfsense2,
      - then on pfsense1,
      - then on simple router
      - and finaly to computer without going again on any other router

    it's like static route are not used when original packet (icmp request in this case, but it's the same with ssh or http(s)) come from WAN interface…



  • did you try to System → Advanced → Static route filtering



  • yes i tried it, but still the same : static route is ignored when packets comes from "outside" the pfsense2.



  • For what it is worth, I am having a similiar problem…

    I am using PFSense as an internal firewall with no NAT.  I want to be able to manage the firewall from the WAN interface.  I am on a seperate subnet from the one that the WAN interface is on.  I setup a Static Route on the PFSense for the remote subnet.  I can successfully ping from the PFSense to the remote subnet.  However, I can not ping from the remote subnet to the WAN interface (Yes, I have the rule created on the WAN).  After a bit of network snooping, I see that the return packets from PFSense are hitting the default gateway instead of using the Static Route.

    I thought I was doing something wrong as well.  That's why I started looking through the forums.

    J.



  • Hi everyone,
    Some new information. I made the test to disable all filtering rule (so i use pfSense as only a router) and all works fine… I was looking after the way to force packet filter to use the static rules instead of creating rules with the default gateway... I finally find where the rules are written (file /etc/inc/filter.inc, line 1545) and also know now why the routes are ignored :

    /* do not process reply-to for gateway'd rules */
    if(($rule['gateway'] == "") and ($ri != "") and ($rg != "")) {
          $aline['reply'] = "reply-to (" . $ri . " " . $rg . ") ";
    }
    

    So, as i can't specify the gateway i want in the rule creation form, i always am in this case : system routes are ignored (final rule contains a 'reply-to' instead of a 'route-to') Here's a solution (but certainly not the best one ;)) : comment those 3 lines makes pfSense to use system routes.
    If anyone find a proper way to do this, it could be nice :)

    edit : I make the changes on pfSense 1.2.2. I did not test with other versions…


Log in to reply