Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Existing connections ignore route changes

    General pfSense Questions
    1
    2
    961
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adam65535 last edited by

      EDIT:  I forgot to mention that I am using CARP on the interfaces for firewall failover (not wan gateway failover) in case that affects the behavior below.

      I have a need for routing to change for existing connections.  I have a perl script that monitors an IP and adds and drops a route to a remote subnet depending on a site to site T1 connection.  The problem is that existing connections do not obey or seem to see the routing table changes.  New connections do.  This is with the default LAN rule allowing everything outbound for testing.

      Is there a way to make sure existing connections in the state table(no gateway defined in the LAN rule that passes this traffic) to see the route changes?  Basically I want traffic to a subnet to go either out the internet or out an OPT interface through a site to site T1 connection.

      The transition must not interrupt existing connections to the remote subnet.

      Example:
      LAN 10.1.1.1/24
      WAN 1.2.2.1/24  –---- routes through the internet to remote site 1.4.4.1/24
      OPT1 1.3.3.1/24  <-> router local site (1.3.3.2/24) <-> router remote site <-> remote external subnet 1.4.4.1/24

      I monitor the remote router and add and drop the route below.
      route add -net 1.4.4.0/24 1.3.3.2

      For an existing connection from 10.1.1.5 to 1.4.4.4 the static route change is ignored so the packets are still sent through OPT1 when the static route for OPT1 gets deleted by my script.  This would cause issues with existing connections.  If I establish a new connection it will correctly go out the WAN interface.

      I am looking to replace a homegrown Linux firewall/router with pfsense.  The behavior of pf with routing changes is a sticking point though.

      I also tried to use gateway groups only for the specific rule (not for default gateway failover) but it had the same problem.  Existing connections did not fail over.

      1 Reply Last reply Reply Quote 0
      • A
        adam65535 last edited by

        I wonder if my question is not clear, too complex, or really nobody knows.

        From my testing it seems like NATed connections (only ones I tested) do not obey any routing changes for existing connections.  I wonder if that is one of the reasons for the option below is defaulted to disabled.  To make sure any existing connections are terminated for the wan when routing changes.  WIthout doing that it would appear that packets for states that were already connected before a routing change would still be going to a dead gateway until the TCP times out.

        There must be a way to make sure packets are routed according to the routing table for already established connections when a route changes.

        Advanced->Gateway Monitoring
- States
By default the monitoring process will flush states for a gateway that goes down. This option overrides that behavior by not clearing states for existing connections.
        1 Reply Last reply Reply Quote 0
        • First post
          Last post