Multi-WAN "default gateway" sticks even when unchecked.

burnsl · Sep 3, 2013, 3:13 AM

I have two WAN interfaces.
One DHCP
One ADSL

Yet when I un-check default gateway from each, I get (default gateway) on one of them at all times.
When i return to the configuration page,I see it's checked again.

Is this a bug?

phil.davis · Sep 3, 2013, 4:09 AM

When you uncheck "default gateway" on one of them, the system will pick the other one to be the default. It is assumed that the system should have a default gateway.
Do you have a use case where you actually do not want a default gateway at all?

bkraptor · Sep 4, 2013, 4:55 AM

There are countless situations where one would not want a default GW. This is a networking box so any such restricting decisions should not be forced on the admin if there is no technical difficulty in leaving it open for the admin to choose.

eri-- · Sep 4, 2013, 7:01 AM

Can you describe your scenario when default gw is not needed?
You would have trouble for traffic originating from the pfSense box itself with that since for forwarded traffic there is good measure taken to do that on the firewall rules.

bkraptor · Sep 4, 2013, 2:41 PM

Any scenario where you only have specific routes pointing to the networks of interest. This is also a security feature because you can not have traffic leaks to networks your box has no knowledge of.

Having an obligatory default rule is based on the assumption that all pfSense boxes will be connected to the Internet. This assumption is not valid.

eri-- · Sep 4, 2013, 3:07 PM

Well since you are taking the hassle of putting so many static routes.
Point your default gateway to something not existing.

It seems to me like firewall rules are what you are after for restricting access.
Routing is not a security feature but a communication feature.

Also in pfSense even if you do not specify default gateway firewall will send traffic to your gateways.
You seem to misunderstand something and not take policy routing done by pfSense into account.

Use firewall rules for restricting access.

bkraptor · Sep 4, 2013, 8:51 PM

Adding a default route to an inexistant IP only adds delay to any IP route lookup. Instead of an instant ICMP destination network unreachable, all the traffic would have to timeout before any feedback is received.

I really see no reason to restrict admin choice, except for thinking that your reasoning is somehow better.

More choice is always better. I don't see a need to try to steer the admin in a certain direction.

Unless there is a technical reason for this restriction, the choice of what is better for a particular scenario should be on the admin's side.

eri-- · Sep 5, 2013, 7:00 AM

I already told you on today world order it does not make sense in general to not haev a default gw unless you disable the firewall.
Otherwise it does not mean anything.

bkraptor · Sep 5, 2013, 7:07 AM

I realize very well how PBR works. This is in no way a reason to force a setting if there are no technical limitations for such a decision. Since traffic originating from the pfSense box is not controlled by the PBR policies, not having a default route is still a valid choice, which should be selectable.

Also, you're completely disregarding any such scenarios where one disables pf and only uses the box as a router.

eri-- · Sep 5, 2013, 7:47 AM

@bkraptor:

Also, you're completely disregarding any such scenarios where one disables pf and only uses the box as a router.

That is a valid scenario.
But for 2.1 really there is not really an easy way to avoid that especially if you have dynamic interfaces(DHCP/PPP types/etc).

You can enter a feature request in redmine so this does not get forgotten and taken into consideration in the future.