Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No Route To Host from router over OPT1, LAN-net has routing

    2.0-RC Snapshot Feedback and Problems - RETIRED
    2
    3
    5.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sheepdawg
      last edited by

      Hi,

      Very strange thing. Not sure if this is a 2.0 thing, or a more basic routing thing. I'm running the 2/7/2011 snapshot on an i386 arch.

      I ran into the following issue when testing my gateway groups failover setup, but on further testing it turned out to be specific to my OPT interface and had nothing to do with the gateway group:

      When I'm routing traffic from the LAN net (192.168.x.x/24) over my WAN connection, I have no issues in pinging external IP addresses from the router itself when ssh'd into the router.

      However, when I'm routing LAN net traffic over the OPT connection when the WAN is down, I run into problems, but only from the router itself. Other computers on the LAN net have full access and routing; I can reach the external DNS servers, ping external servers by name or IP, and have no connectivity issues. When ssh'd into the router, however, I appear to only be able to reach 2 IP address, the two DNS servers associated with the OPT connection. Thus, if I ping google.com, I get:

      
/root(1): ping google.com
PING google.com (66.102.7.99): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- google.com ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

      I'm obviously resolving the name properly, but can't route to the IP. If I ping the name server itself from the router, I can reach it.

      When I switch back to the WAN connection, I can route to anything I can usually reach:

      
/root(1): ping google.com
PING google.com (66.102.7.99): 56 data bytes
64 bytes from 66.102.7.99: icmp_seq=0 ttl=53 time=16.648 ms
64 bytes from 66.102.7.99: icmp_seq=1 ttl=53 time=13.700 ms
64 bytes from 66.102.7.99: icmp_seq=2 ttl=53 time=11.020 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss

      I'm pretty much at a loss here as to where to look; I'm not totally familiar with the low level routing tables, and everything looks ok through the web configurator. I have similar incoming rule sets (fairly strict firewalls) on WAN and OPT, and on the LAN side I have very permissive rules allowing all traffic out. I'm switching outgoing LAN rules for this testing, to control which gateway or gateway group outgoing traffic passes.

      [edit]
      On further testing, I've noticed something strange. The problem appears to be when the WAN connection is down. For some reason, even when all other traffic is being routed through OPT, all the traffic from the router itself still gets routed through the default WAN gateway. Thus, when the WAN gateway is up, I can route traffic out from the router; when it is down; I can't.
      [/edit]

      Any help would be greatly appreciated. Apologies if this is not a 2.0 issue.

      Sincerely,

      Dave

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Traffic initiated from the firewall itself follows the system routing table, when your default route isn't reachable the Internet isn't reachable from the firewall.

        1 Reply Last reply Reply Quote 0
        • S
          sheepdawg
          last edited by

          Hi, JMP,

          Thanks for the speedy reply! I really appreciate all the help you give here!

          So, I looked at my system routing table, and indeed, the default route is set to the WAN gateway, as you said.

          Is it possible to use gateway groups in the routing table of the router itself? The issue at hand here is I would like to be able to access my network via openvpn, even (perhaps especially) during failover mode when the main link is down.

          However, the router needs to be able to open a connection to the computer requesting an openvpn connection, and I get an error saying 'no route to host xx.xx.xx.xx' thrown by open vpn during the openvpn handshake process.

          So, if I could talk the router into using the gateway group instead of the default route, it would know how to route traffic out even when the WAN is down. There are a number of gateways that I see in the routing table (link#1, link#2…link#9) that I don't know the origin of; how they are defined, and how they do routing. Perhaps this is where I would look to send router traffic into the gateway group?

          I believe my fundamental confusion here comes from not knowing where the distinction lies between typical routing done by the routing table and the pf system that does the bulk in and out routing that pfsense is so good at. Any help understanding this would be greatly appreciated.

          Thanks so much,

          Dave

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.