2 sites, directly connected, routing issue
-
HI,
some strange observation, or missing something... :)
I have 2 sites, each have their own LAN and WAN, and connected directly with radio link, to ensure WAN failover on either site.PF1: LAN1 -> WAN1 (default gateway)
PF2: LAN2 -> WAN2 (default gateway)
PF1 < -> RR < -> PF2For smoe specific reasons, I added NAT on PF1 to access specific host X on PF2/LAN2 network.
Also added FW rule on PF2 to route specific host X over RR gateway towards PF1.now the issue: trace to some public adress form host X is going through RR gateway (not default gateway WAN2) whicih is ok, the problem is that when accessing from internet through PF1 NAT, response to theat request goes through default gateway PF2/WAN2.
Packet capture shows that packet arrives to PF1, goes over RR link to PF2, and to host X, but response from host X goes to PF2 and WAN2.If I change def.gateway on PF2 to RR link, everythig works as expected, response from host X goes to PF2 to RR link...
PFSense is 2.3.5 on both sites.
Any suggestions?
-
@bbfrankopan said in 2 sites, directly connected, routing issue:
Any suggestions?
Upgrade to current - nobody going to want to help such with an EOL by years version of pfsense 2.3.5? Which was EOL in 2018, with like 2 years notice that it was going to be.
-
Thanks for reply.
I know that 2.3.5 is outdated long ago, just wanted to know is this related with known issue in software ver. 2.3.5 or something with misconfiguration.
Running hardware is old and upgrade would require new ones, which was postponig for a while, but now will do an upgrade to current with new HW in near future...BR.
-
@bbfrankopan said in 2 sites, directly connected, routing issue:
just wanted to know is this related with known issue in software ver. 2.3.5
I don't think so.
On PF2 on the radio interface there must be the PF1 IP stated as gateway. Did you have this?
Also ensure that the firewall rule allowing the access from the remote site is set on the radio interface tab. There must no floating rule and no one on an interface group match the incoming traffic.
-
@viragomann said in 2 sites, directly connected, routing issue:
On PF2 on the radio interface there must be the PF1 IP stated as gateway. Did you have this?
Yes.
@viragomann said in 2 sites, directly connected, routing issue:
Also ensure that the firewall rule allowing the access from the remote site is set on the radio interface tab. There must no floating rule and no one on an interface group match the incoming traffic.
No floating rules on either site. Firewall rules allows communication.
Incoming traffic to host X is OK in either case, but response to that request PF2 is using def.gateway instead gateway defined in LAN2 rules for X, which force gateway over radio interface.
But at the same time, if I made request from host X towards some public address (not response), traffic match firewall LAN2 rule for X and traffic goes over radio link. -
@bbfrankopan
The gateway in the policy routing rule on the LAN interface only affects outgoing traffic, not incoming. So this doesn't matter here.Enable logging in the rule on PF2, which allows access from the remote site with public sources. Then check in the firewall log if the rule is really applied.
That should have worked in your version also AFAIK. -
Enabled log for PBR rule from PF2, and rule is not matched (which should be)
First rule under LAN rules is this PBR rule.Anyway, thanks for all help, I will try with upgrade to current version of Pfsense first......
BR
