Bypass firewall rules for traffic on the same interface with dynamic routing?



  • Hi,

    I currently have the new OpenOSPF v0.2A running.
    It is sending and receiving routing updates and the routing table is fully populated with all network routes.

    -but-

    there are several subnets connected to the LAN interface, these are learned by OSPF and are therefore not static routes.
    The firewall now kills some packets along the way through the LAN interface and back out.
    Is there any possibility to bypass traffic for dynamically learned routes like RIP or OSPF?
    That would be very handy and make pfSense much more suitable as a routing platform.

    Hoping for answers.

    Best Regards,

    Gerinsel



  • If we are talking about a hairpin routing scenario, I seem to recall there is an option to tell pfsense to suppress checks for packets that do this?



  • It is some kind of hairpin scenario :) yes
    The option I know is in the "Advanced" tab, but only works for static routes.
    The pfsense originates the default route to the WAN network and some other networks, these routing-information should be sent to routers behind the pfSense.

    To OpenOSPFd:
    There seems to be a problem with periodic PPPoE resets. After the reset there are hundreds of:
    recv_db_description: seq num mismatch, bad flags
    entries in the system log and the pfSense isn't receiving or sending anymore routing updates.
    I have spotted the same problem with the RIP Service.



  • ah, okay.  do you have a specific subnet (LAN) you allow in the outbound rule?  if so, are you willing to change it to allow any?  if not, maybe you could put the various dynamic subnets in a larger supernet, and have a static route on the pfsense for that (pointing at a dummy LAN host, if you see what i mean?)



  • Hi,

    the dummy static route is, so it seems, the only working solution for that problem.
    Now there is a static supernet route that covers every subnet.
    Its not the best but a working solution.

    The thing is, I think I will stay at static routes on my pfSense because neither RIP nor OpenOSPFd are getting along with PPPoE resets :(

    Edit:
    The dummy static route has another major downside with it.
    It generates a routing loop whenever one of the supernet advertised subnets is down, because the next hop router has the pfSense as default gateway, which is correct because it is the internet gateway. The packets are bouncing from the pfSense to the next hop router and back again until the TTL is 0. If OSPF would be running, the network would have been eliminated out of the routing table and the request would get a "network is unreachable" or something similar. Or am I wrong?


    To OSFPd the second:
    The process is stuck after every PPPoE "redial" no matter it is caused by periodic pppoe resets or manual reconnect.
    After being stuck it start a new ospfd instance.
    When you remove the OpenOSPFd package, the other started processes are not killed and running until you kill them manually.


Log in to reply