Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Static route problem

    Scheduled Pinned Locked Moved Routing and Multi WAN
    14 Posts 8 Posters 24.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmcentire
      last edited by

      I can't get my simple static route to work on 2.0.1(was using 1.2.3):

      Say my lan is 192.168.1.0/24 and there is a 192.168.2.0/24 network available through a cisco router(192.168.1.2).

      In 1.2.3 I just had a static route setup like this(worked as expected):
      Int:    Destination:        Gateway:
      LAN    192.168.2.0/24    192.168.1.2

      In 2.0.1 I created a gateway(Int: lan, IP: 192.168.1.2), then a static route(Int: lan, Network: 192.168.2.0/24, and using the gateway I already setup). 
      No computers on the LAN can ping the 192.168.2.0 network, but the pfsense box can.  I did a tracert from a machine and it is sending my traffic out the WAN.

      I have found a way around this, if I add a firewall rule with the destination of 192.168.2.0/24 and use the gateway I created earlier it works…but it doesn't seem like i should have to do this.

      1 Reply Last reply Reply Quote 0
      • J
        jmcentire
        last edited by

        So it looks like if I use a gateway group as the gateway on my default "Lan -> Any" rule it ignores all static routes(and networks on other interfaces!) setup in pfsense.  Is that how it is designed to work in 2.0?

        It also doesn't allow me to access networks on other interfaces connected to pfsense, however it does still allow me to get through to networks across ipsec tunnels though.

        Seems crazy to me, but let me know if I'm getting this right, if I want wan load balancing/failover I need to put in a rule for every static route and every other network attached to pfsense ahead of the load balancing rule?

        1 Reply Last reply Reply Quote 0
        • P
          pfsensedummie
          last edited by

          Hi jmcentire

          I think you have to add a rule so that the pfsense can handle the traffic correctly. I had some issues with this too.

          What I did:
          Add static route and gateway

          pfsense 192.168.1.1
          Cisco 192.168.1.2
          LAN 192.168.1.0/24
          LANREMOTE 192.168.2.0/24

          Route 192.168.2.0 -> GW 192.168.1.2
          Firewall Rule ALLOW -> ANY -> LAN -> LAN REMOTE -> GW 192.168.1.2

          However me to, I am not sure if this firewall rule is needed. Let's say I don't have the fw rule in place

          1. My pc pings the remote lan
          2. Arrives at the pfsense
          3. Pfsense says , traffic reroute to GW 192.168.1.2
          4. Result ping OK

          I am not sure if traffic for GW 192.168.1.2 are still being processed by the firewall rules?

          Without the rule my PC responds like this
          tracert 192.168.2.5

          192.168.1.1 - OK
          192.168.1.2 - OK
          192.168.2.5 - OK

          With the second ping my own pfsense is being skipped and I get this responds:
          tracert 192.168.2.5

          192.168.1.2 - OK
          192.168.2.5 - OK

          This has to do with the ARP cache of the machine.

          However, when I add the specific firewall rule for the 192.168.2.0/24 network and when I flush my ARP cache I also get this responds:
          tracert 192.168.2.5

          192.168.1.2 - OK
          192.168.2.5 - OK

          See! The pfsense is missing from the list but why? Repeated this with 3 stations, all the same responses.

          Now the question is:  Are static routes on the pfsense still in need for specific firewall rules?

          Processed like this:
          1. My pc pings the remote lan
          2. Arrives at the pfsense
          3. Pfsense says , traffic reroute to GW 192.168.1.2
          4. Result ping OK

          or like this
          1. My pc pings the remote lan
          2. Arrives at the pfsense
          3. Pfsense says , traffic reroute to GW 192.168.1.2
          4. Pfsense checks firewall rules
          5. Result ping OK

          1 Reply Last reply Reply Quote 0
          • P
            pfsensedummie
            last edited by

            Is there someone from the users here that could answer any of our questions stated above?

            kind regards,
            pfsensedummie

            1 Reply Last reply Reply Quote 0
            • S
              svtlightning
              last edited by

              FYI, I'm seeing the exact same thing, 1.2.3 worked 2.0.1 doesn't, multi wan environment. I even tried going in to advanced options and choosing "Ignore filtering for Status routes" but no luck.

              It tries to send traffic for my second lan out the wan interface and not back through the lan interface to a cisco router. For me it gets to the destination but that is because I have another firewall on the wan that also has a interface to the cisco router (testing pfsense while using iptables), but it should really just go back through the LAN interface and not through the WAN.

              Anybody have any ideas?

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                @jmcentire:

                So it looks like if I use a gateway group as the gateway on my default "Lan -> Any" rule it ignores all static routes(and networks on other interfaces!) setup in pfsense.  Is that how it is designed to work in 2.0?

                That's how it works in every version. Traffic matching a policy routing rule (anything with a gateway selected) is forced there, bypassing the routing table.

                1 Reply Last reply Reply Quote 0
                • N
                  nnicanor
                  last edited by

                  Hello,

                  I have same problems, i writed many times about traffic through static route in 2.0 since beta verions and don't work as expected, with 1.2.2 no problems where founds.

                  Regards,

                  Nicanor Martinez.

                  1 Reply Last reply Reply Quote 0
                  • N
                    nnicanor
                    last edited by

                    Why not answers about static routes traffics problems ?

                    Regards,

                    Nicanor

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Read the thread again. It's been answered already.

                      If you need more detail on why this specific case has a perceived issue, see the doc wiki:

                      http://doc.pfsense.org/index.php/Multi-WAN_2.0#Policy_Route_Negation

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • M
                        mUcHiLuS
                        last edited by

                        i have a similar problem but only when i'm turn on the loadbalancing in the LAN RULE, setting the gateway to use the loadbalance created on the group.

                        all the static route that i made to reach specific interface, always get out first to the loadbalancing rule. if i disable the loadbalance, and put "any", the static route works perfectly.

                        other inquirer that i have is, why every time that i try to config each interface on static ip, i cannot the internet doesn't work. i check in general tap, and the DNS is correctly to each interface, point out to each respective gateway

                        @jmcentire:

                        I can't get my simple static route to work on 2.0.1(was using 1.2.3):

                        Say my lan is 192.168.1.0/24 and there is a 192.168.2.0/24 network available through a cisco router(192.168.1.2).

                        In 1.2.3 I just had a static route setup like this(worked as expected):
                        Int:    Destination:        Gateway:
                        LAN    192.168.2.0/24    192.168.1.2

                        In 2.0.1 I created a gateway(Int: lan, IP: 192.168.1.2), then a static route(Int: lan, Network: 192.168.2.0/24, and using the gateway I already setup). 
                        No computers on the LAN can ping the 192.168.2.0 network, but the pfsense box can.  I did a tracert from a machine and it is sending my traffic out the WAN.

                        I have found a way around this, if I add a firewall rule with the destination of 192.168.2.0/24 and use the gateway I created earlier it works…but it doesn't seem like i should have to do this.

                        1 Reply Last reply Reply Quote 0
                        • H
                          heper
                          last edited by

                          Quote from: jmcentire on January 19, 2012, 08:59:31 pm
                          So it looks like if I use a gateway group as the gateway on my default "Lan -> Any" rule it ignores all static routes(and networks on other interfaces!) setup in pfsense.  Is that how it is designed to work in 2.0?

                          That's how it works in every version. Traffic matching a policy routing rule (anything with a gateway selected) is forced there, bypassing the routing table.

                          in other words …. it's not a problem, it's a feature. You need to add an additional rule with gateway 'any' that matches the destination you wish to reach

                          kind regards

                          1 Reply Last reply Reply Quote 0
                          • N
                            nnicanor
                            last edited by

                            I have same problem reported some time ago, i was added rules and static routes not work i also using multilan and multiwan, i have to segment my network but is dificult set rules to let traffics between multilans and not work properly to pass traffic between static routes and lan subnets i using between networks and pfsense 2.0.1  one pfsense 1.2.2 and trafic pass ok, i need to remove 1.2.2 but new version have this issue reported since beta versions.

                            Regards,

                            Nicanor Martinez

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              This is not a bug, you need firewall rules to bypass policy routing, it's been that way for quite some time.

                              If you don't have firewall rules to exclude your local and VPN networks from policy routing, then the traffic will go straight out a WAN.

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • C
                                cmb
                                last edited by

                                @nnicanor:

                                I have same problem reported some time ago, i was added rules and static routes not work i also using multilan and multiwan, i have to segment my network but is dificult set rules to let traffics between multilans and not work properly to pass traffic between static routes and lan subnets i using between networks and pfsense 2.0.1  one pfsense 1.2.2 and trafic pass ok, i need to remove 1.2.2 but new version have this issue reported since beta versions.

                                Start your own thread, please don't hijack threads. The underlying PF version in 1.2.2 didn't have as tight of filtering as current versions and it will not pass asymmetrically routed traffic by default which is what I'm sure you're seeing. Start a thread describing your problem for help there.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.