Problem with System: Static Routes
-
Hi,
I am using 2.0-RC2 (i386) built on Sat May 21 21:38:32 EDT 2011, and having problem with my Routing, which suddenly not working after I update the firmware.
Even I had created a static route, for a subnet, it seems not working:
My Static Route:
Network Gateway Interface
172.16.254.0/24 mNet - 172.25.55.253 LANC:\Users\johndoe>tracert 172.16.254.61
Tracing route to devil.box.mil [172.16.254.61]
over a maximum of 30 hops:1 <1 ms 2 ms 1 ms gate.thebox.com [172.25.55.102]
2 gate.thebox.com [172.25.55.102] reports: Destination host unreachable.Trace complete.
My LAN gateway is 172.25.55.102 but, it should route via 172.25.55.253. ???
Please help
Thank you
-
Sorry I may be being a bit thick here but how can the gateway be on a different network to the NIC. Surly the gateway must be in the 172.16.254.0/24 network
-
check Diagnostics>Routes for the route, it's likely there (unless you're running the IPv6 branch in which case you may be hitting routing issues there), so I suspect your gateway isn't reachable (hence the unreachable).
-
Hi,
My Diagnostic: Route got this:
Destination Gateway Flags Refs Use Mtu Netif
172.16.254.0/24 172.25.55.253 UGS 0 238 1500 rl1And yes, there are IPv6 routes, how do I disable IPv6? since I don't use it at all.
Thank you
-
Completely confused - you can not have this route
it should route via 172.25.55.253
that IP is not on your network 172.16.254.0/24, so that route is not possible.
You say you have ipv6 routes? How would that be possible if your not running IPv6 build?
I would suggest you post up your complete route page.
-
Completely confused - you can not have this route
it should route via 172.25.55.253
that IP is not on your network 172.16.254.0/24, so that route is not possible.
You say you have ipv6 routes? How would that be possible if your not running IPv6 build?
I would suggest you post up your complete route page.
These are my IPv6 routes, that I never created and never enable before, how can I remove them?
Destination Gateway Flags Refs Use Mtu Netif Expire
::1 ::1 UH 0 0 16384 lo0
fe80::%rl0/64 link#1 U 0 0 1500 rl0
fe80::227:19ff:fef0:7425%rl0 link#1 UHS 0 0 16384 lo0
fe80::%rl1/64 link#2 U 0 0 1500 rl1
fe80::227:19ff:fef1:c11c%rl1 link#2 UHS 0 0 16384 lo0
fe80::%re0/64 link#3 U 0 0 1500 re0
fe80::214:2aff:fecd:7564%re0 link#3 UHS 0 0 16384 lo0
fe80::%lo0/64 link#5 U 0 0 16384 lo0
fe80::1%lo0 link#5 UHS 0 0 16384 lo0
fe80::%pppoe0/64 link#9 U 0 0 1492 pppoe0
fe80::227:19ff:fef0:7425%pppoe0 link#9 UHS 0 0 16384 lo0
ff01:1::/32 fe80::227:19ff:fef0:7425%rl0 U 0 0 1500 rl0
ff01:2::/32 fe80::227:19ff:fef1:c11c%rl1 U 0 0 1500 rl1
ff01:3::/32 fe80::214:2aff:fecd:7564%re0 U 0 0 1500 re0
ff01:5::/32 ::1 U 0 0 16384 lo0
ff01:9::/32 fe80::227:19ff:fef0:7425%pppoe0 U 0 0 1492 pppoe0
ff02::%rl0/32 fe80::227:19ff:fef0:7425%rl0 U 0 0 1500 rl0
ff02::%rl1/32 fe80::227:19ff:fef1:c11c%rl1 U 0 0 1500 rl1
ff02::%re0/32 fe80::214:2aff:fecd:7564%re0 U 0 0 1500 re0
ff02::%lo0/32 ::1 U 0 0 16384 lo0
ff02::%pppoe0/32 fe80::227:19ff:fef0:7425%pppoe0 U 0 0 1492 pppoe0Note: Do not enter static routes for networks assigned on any interface of this firewall. Static routes are only used for networks reachable via a different router, and not reachable via your default gateway.
-
Sorry I may be being a bit thick here but how can the gateway be on a different network to the NIC. Surly the gateway must be in the 172.16.254.0/24 network
if I set my gateway 172.25.55.253 directly at my client box, I able to connect to my 172.16.254.0/24 network, so I thing it must be my pfsense route which not working.
-
You can not set a gateway to an IP address that is NOT on your network!! NEVER work in a MILLION YEARS!!
And for starters windows would scream at you if you tried, and so would linux I do believe
see attached image of example of windows screaming at you for wrong gateway.
Please layout this network for us – why do you feel that you need to talk to a 172.25.55.253 to get off your lan if your network is 172.16.254.0/24 ??
You do not need a gateway to talk to anything on the 172.16.254.0/24 you have a interface directly on that network - do you not.
As to those IPv6 routes, those are local-link addresses, and are meaningless - and to be honest I don't believe they even show up unless you installed the IPv6 build of pfsense, Im installing a non ipv6 build not to verify..
Please layout your network for us so we can help you!!
edit: ok just verified with a old 2.0 beta vm, and yeah the ipv6 local-link routes are there, but they have NOTHING to do with anything to do at all with any ipv4 addresses or routing.
-
mynullvoid Drop to a shell and post the output of netstat -r please so we can see the actual routes. As has been previously said it seems likely that the pfsense box has no route back to the 172.25.55.253 device. You must have a gateway defined on the 172.16.254.0/24 network to reach the 172.25.55.0/24 network.
-
Can you show screenshots of your setup since its kind of hard to see where do you take this from?
Network Gateway Interface
172.16.254.0/24 mNet - 172.25.55.253 LAN -
if I set my gateway 172.25.55.253 directly at my client box, I able to connect to my 172.16.254.0/24 network, so I thing it must be my pfsense route which not working.
FreeBSD is more sane and less forgiving than other OSes, it will not ARP an IP that is not on a locally configured subnet, where Windows will (and maybe Linux though not sure on it). It's not a valid network configuration regardless, fix it so it is. Either move the router to an IP within an attached subnet, or add a VIP so it's within a local subnet.
-
Let me explain,
my pfsense box got 3 NIC:
WAN : pppoe
LAN : 172.25.55.102
OPT1 : 172.25.55.103via OPT1 it is connected to other bigger network of our main office, and I had create a bridge for LAN and OPT1.
If we set out a client gateway to be 172.25.55.253 which is connected via OPT1, the client able to access network 172.16.254.0/24 but all the traffic will be going out via our main office.
What I want is that my LAN traffic to use 172.25.55.102 as gateway where it will use my WAN access out; and only for certain destination IP, it should be routed via 172.25.55.253.
The funny part is that, I got it working fine before, until I did something, which I guess I upgrade the firmware.
If there are better way, please advise. Thank you
-
Bridge takes priority over routing.
-
@ermal:
Bridge takes priority over routing.
I need to bridge both my LAN and OPT1 otherwise how can I get my LAN machine to access via OPT1 network, since behind 172.25.55.103, this NIC is connected to a another bridge of 172.25.55.101 to 172.25.55.100.
-
I had remove the bridge, and connect the second link to a switch, and from the switch I connect to OPT1 to leaving alone just static route which are:
Gateway:
Name Interface Gateway Monitor IP Description
mNet OPT1 172.25.55.253 172.25.55.253 Alt GatewayRoutes:
Network Gateway Interface Description
172.16.254.0/24 mNet - 172.25.55.253 OPT1 Alt Exchange ADFirewall: I had set allow any to any
If I still have 172.25.55.102 as the client gateway, I cant event reach 172.16.254.0/24, but if I change my gateway to 172.25.55.253 then only I can reach it.
What else could go wrong on the routing?
-
So anyone want to respond? at early thread there were many advise, when I narrowed at the routing problem, suddenly no takers, like I said my config worked in 1.2.3 until beta 5, l didn't update until lately.
I even fresh install it and the routing doesn't work at all.
-
"I had remove the bridge, and connect the second link to a switch, and from the switch I connect to OPT1 to leaving alone just static route which are:"
This makes NO SENSE!!! And what is connected to the switch? Why would you connect the switch to OPT1
Why would you not just connect your LAN interface to the switch. You have the same network on 2 different interfaces on your pfsense box that are no longer bridged? How are you going to get anywhere?
Please LAYOUT YOUR NETWORK!!! You clearly have multiple devices connected to lan, and then multiple devices connected to opt1 that was the same network. Then you bridged these interfaces which made no sense in the first place.
Lets see a drawing your network! Before I made this out sofare - which makes no masks btw.
Now you removed the bridge and what IP did you give opt1 and looks like you created a gateway???
finish this drawing that is attached spelling out the IPs and masks of your interfaces and what this 172.25.55.253 device is – can we see the routes on it? Why were you bridged before??
When asked for your routes -- how about a screen shot of your routes page, or the output of netstat -r like asked for before.
So finish/fix the drawing of your network in its current setup and lets see output of your routes from netstat -r or screen shot of your routes page.
I would love to help you - but need to understand your network first.
-
when I said I remove the bridge is because, I was told that 'Bridge takes priority over routing', so I try the work around. anyway, these are some information requested, do ask for me to give further so that I can get my network running as I should.
+–-+
| | LAN: 172.25.55.102/24
| p |=======================
| f | 172.25.55.253/24
| s | +---+
| e | OPT1: 172.25.55.103/24 | r |
| n |======================(172.25.55.101 bridge 172.25.55.100)===| o |
| s | | u | 172.16.254.0/24
| e | | t |==========
| | WAN : pppoe | e |
| |====================== | r |
+---+ +--+Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
0.0.0.0 link#1 U 0 0 rl0 =>
default 219.93.218.177 UGS 0 2698865 pppoe0
60.53.xxx.xx link#9 UHS 0 0 lo0
localhost link#5 UH 0 316 lo0
172.16.254.0 172.25.55.253 UGS 0 506 rl1
172.25.55.0 link#3 U 0 3460459 re0
firegate link#3 UHS 0 0 lo0
172.25.55.103 link#2 UHS 0 0 lo0
isp1.in.box.net 219.93.xxx.xxx UGHS 0 12539 pppoe0
isp2.in.box.net 219.93.xxx.xxx UGHS 0 11938 pppoe0
219.93.xxx.xxx link#9 UH 0 63391 pppoe0Internet6:
Destination Gateway Flags Netif Expire
localhost localhost UH lo0
fe80::%rl0 link#1 U rl0
fe80::227:19ff:fef link#1 UHS lo0
fe80::%rl1 link#2 U rl1
fe80::227:19ff:fef link#2 UHS lo0
fe80::%re0 link#3 U re0
fe80::214:2aff:fec link#3 UHS lo0
fe80::%lo0 link#5 U lo0
fe80::1%lo0 link#5 UHS lo0
fe80::%pppoe0 link#9 U pppoe0
fe80::227:19ff:fef link#9 UHS lo0
ff01:1:: fe80::227:19ff:fef U rl0
ff01:2:: fe80::227:19ff:fef U rl1
ff01:3:: fe80::214:2aff:fec U re0
ff01:5:: localhost U lo0
ff01:9:: fe80::227:19ff:fef U pppoe0
ff02::%rl0 fe80::227:19ff:fef U rl0
ff02::%rl1 fe80::227:19ff:fef U rl1
ff02::%re0 fe80::214:2aff:fec U re0
ff02::%lo0 localhost U lo0
ff02::%pppoe0 fe80::227:19ff:fef U pppoe0 -
I thought you said you removed the bridge? How do you expect anything connected to lan to get to something connected to opt1 when you have not changed the network connected to the interface.
Where is this switch you said you connected? Breakout a crayon or something and actually DRAW your network.
I fail to understand the need for the same network on 2 different interfaces? Why don't change your opt1 network to say 172.25.54.0/24 and then couple simple routes on your pfsense and other router and everyone would be happy.
pfsense
172.16.254.0/24 172.25.54.253 via opt1router
172.25.55.0/24 172.25.54.103 via ethX
-
<<forget about="" i="" remove="" the="" bridge="" and="" switch="" stuff="" -="" because="" just="" experimenting="">>
The OPT1 is connected a bigger network of 172.16.254.0/24, 192.168.2.0/24 and some other network subnets.
My network IP was given by my HQ IT to use 172.25.55.0/24 and I was asked to create routes via 172.25.55.253 as gateway.
The issue now is how could I route for certain predefined destination IP to use OPT1 gateway which is 172.25.55.253? </forget>
