Static route problem



  • I can't get my simple static route to work on 2.0.1(was using 1.2.3):

    Say my lan is 192.168.1.0/24 and there is a 192.168.2.0/24 network available through a cisco router(192.168.1.2).

    In 1.2.3 I just had a static route setup like this(worked as expected):
    Int:    Destination:        Gateway:
    LAN    192.168.2.0/24    192.168.1.2

    In 2.0.1 I created a gateway(Int: lan, IP: 192.168.1.2), then a static route(Int: lan, Network: 192.168.2.0/24, and using the gateway I already setup). 
    No computers on the LAN can ping the 192.168.2.0 network, but the pfsense box can.  I did a tracert from a machine and it is sending my traffic out the WAN.

    I have found a way around this, if I add a firewall rule with the destination of 192.168.2.0/24 and use the gateway I created earlier it works…but it doesn't seem like i should have to do this.



  • So it looks like if I use a gateway group as the gateway on my default "Lan -> Any" rule it ignores all static routes(and networks on other interfaces!) setup in pfsense.  Is that how it is designed to work in 2.0?

    It also doesn't allow me to access networks on other interfaces connected to pfsense, however it does still allow me to get through to networks across ipsec tunnels though.

    Seems crazy to me, but let me know if I'm getting this right, if I want wan load balancing/failover I need to put in a rule for every static route and every other network attached to pfsense ahead of the load balancing rule?



  • Hi jmcentire

    I think you have to add a rule so that the pfsense can handle the traffic correctly. I had some issues with this too.

    What I did:
    Add static route and gateway

    pfsense 192.168.1.1
    Cisco 192.168.1.2
    LAN 192.168.1.0/24
    LANREMOTE 192.168.2.0/24

    Route 192.168.2.0 -> GW 192.168.1.2
    Firewall Rule ALLOW -> ANY -> LAN -> LAN REMOTE -> GW 192.168.1.2

    However me to, I am not sure if this firewall rule is needed. Let's say I don't have the fw rule in place

    1. My pc pings the remote lan
    2. Arrives at the pfsense
    3. Pfsense says , traffic reroute to GW 192.168.1.2
    4. Result ping OK

    I am not sure if traffic for GW 192.168.1.2 are still being processed by the firewall rules?

    Without the rule my PC responds like this
    tracert 192.168.2.5

    192.168.1.1 - OK
    192.168.1.2 - OK
    192.168.2.5 - OK

    With the second ping my own pfsense is being skipped and I get this responds:
    tracert 192.168.2.5

    192.168.1.2 - OK
    192.168.2.5 - OK

    This has to do with the ARP cache of the machine.

    However, when I add the specific firewall rule for the 192.168.2.0/24 network and when I flush my ARP cache I also get this responds:
    tracert 192.168.2.5

    192.168.1.2 - OK
    192.168.2.5 - OK

    See! The pfsense is missing from the list but why? Repeated this with 3 stations, all the same responses.

    Now the question is:  Are static routes on the pfsense still in need for specific firewall rules?

    Processed like this:
    1. My pc pings the remote lan
    2. Arrives at the pfsense
    3. Pfsense says , traffic reroute to GW 192.168.1.2
    4. Result ping OK

    or like this
    1. My pc pings the remote lan
    2. Arrives at the pfsense
    3. Pfsense says , traffic reroute to GW 192.168.1.2
    4. Pfsense checks firewall rules
    5. Result ping OK



  • Is there someone from the users here that could answer any of our questions stated above?

    kind regards,
    pfsensedummie



  • FYI, I'm seeing the exact same thing, 1.2.3 worked 2.0.1 doesn't, multi wan environment. I even tried going in to advanced options and choosing "Ignore filtering for Status routes" but no luck.

    It tries to send traffic for my second lan out the wan interface and not back through the lan interface to a cisco router. For me it gets to the destination but that is because I have another firewall on the wan that also has a interface to the cisco router (testing pfsense while using iptables), but it should really just go back through the LAN interface and not through the WAN.

    Anybody have any ideas?



  • @jmcentire:

    So it looks like if I use a gateway group as the gateway on my default "Lan -> Any" rule it ignores all static routes(and networks on other interfaces!) setup in pfsense.  Is that how it is designed to work in 2.0?

    That's how it works in every version. Traffic matching a policy routing rule (anything with a gateway selected) is forced there, bypassing the routing table.



  • Hello,

    I have same problems, i writed many times about traffic through static route in 2.0 since beta verions and don't work as expected, with 1.2.2 no problems where founds.

    Regards,

    Nicanor Martinez.



  • Why not answers about static routes traffics problems ?

    Regards,

    Nicanor


  • Rebel Alliance Developer Netgate

    Read the thread again. It's been answered already.

    If you need more detail on why this specific case has a perceived issue, see the doc wiki:

    http://doc.pfsense.org/index.php/Multi-WAN_2.0#Policy_Route_Negation



  • i have a similar problem but only when i'm turn on the loadbalancing in the LAN RULE, setting the gateway to use the loadbalance created on the group.

    all the static route that i made to reach specific interface, always get out first to the loadbalancing rule. if i disable the loadbalance, and put "any", the static route works perfectly.

    other inquirer that i have is, why every time that i try to config each interface on static ip, i cannot the internet doesn't work. i check in general tap, and the DNS is correctly to each interface, point out to each respective gateway

    @jmcentire:

    I can't get my simple static route to work on 2.0.1(was using 1.2.3):

    Say my lan is 192.168.1.0/24 and there is a 192.168.2.0/24 network available through a cisco router(192.168.1.2).

    In 1.2.3 I just had a static route setup like this(worked as expected):
    Int:    Destination:        Gateway:
    LAN    192.168.2.0/24    192.168.1.2

    In 2.0.1 I created a gateway(Int: lan, IP: 192.168.1.2), then a static route(Int: lan, Network: 192.168.2.0/24, and using the gateway I already setup). 
    No computers on the LAN can ping the 192.168.2.0 network, but the pfsense box can.  I did a tracert from a machine and it is sending my traffic out the WAN.

    I have found a way around this, if I add a firewall rule with the destination of 192.168.2.0/24 and use the gateway I created earlier it works…but it doesn't seem like i should have to do this.



  • Quote from: jmcentire on January 19, 2012, 08:59:31 pm
    So it looks like if I use a gateway group as the gateway on my default "Lan -> Any" rule it ignores all static routes(and networks on other interfaces!) setup in pfsense.  Is that how it is designed to work in 2.0?

    That's how it works in every version. Traffic matching a policy routing rule (anything with a gateway selected) is forced there, bypassing the routing table.

    in other words …. it's not a problem, it's a feature. You need to add an additional rule with gateway 'any' that matches the destination you wish to reach

    kind regards



  • I have same problem reported some time ago, i was added rules and static routes not work i also using multilan and multiwan, i have to segment my network but is dificult set rules to let traffics between multilans and not work properly to pass traffic between static routes and lan subnets i using between networks and pfsense 2.0.1  one pfsense 1.2.2 and trafic pass ok, i need to remove 1.2.2 but new version have this issue reported since beta versions.

    Regards,

    Nicanor Martinez


  • Rebel Alliance Developer Netgate

    This is not a bug, you need firewall rules to bypass policy routing, it's been that way for quite some time.

    If you don't have firewall rules to exclude your local and VPN networks from policy routing, then the traffic will go straight out a WAN.



  • @nnicanor:

    I have same problem reported some time ago, i was added rules and static routes not work i also using multilan and multiwan, i have to segment my network but is dificult set rules to let traffics between multilans and not work properly to pass traffic between static routes and lan subnets i using between networks and pfsense 2.0.1  one pfsense 1.2.2 and trafic pass ok, i need to remove 1.2.2 but new version have this issue reported since beta versions.

    Start your own thread, please don't hijack threads. The underlying PF version in 1.2.2 didn't have as tight of filtering as current versions and it will not pass asymmetrically routed traffic by default which is what I'm sure you're seeing. Start a thread describing your problem for help there.


Locked