Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Static route bug?

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 993 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      diaF
      last edited by

      Hi

      I am trying to setup pfSense to front servers hosted inside Hyperv, i am using the pfSense-LiveCD-2.1-RELEASE-amd64-hyperv-kernel-20130915-1129 build

      I have moved a virtual server off the public ip range on to a new private range, and then putting the pfSense on the public ip address, and the server can get out to internet fine through the pfSense

      I have setup a nat port forward to get to the servers website via the public ip address on the pfSense
      which works fine from neighbouring servers, ive also setup icmp rules for testing, and works fine from neigbouring servers

      now there is another router (layer 3 switch) in the same public ip range, that routes to another private ip range to access the servers, which works fine with the other neighbouring servers not put through the pfSense, as they have a persistent route telling them to find the private ip range at the layer 3 switch

      I have loaded this l3switch router as an additional gateway on the pfSense and have loaded the private ip range to go through it, i have also disabled block private/bogon networks on every interface

      now with "bypass firewall rules for traffic on the same interface" switched on, i can ping that private ip range from the server behind the pfSense, with it switched off i cannot.

      now for the main problem, with that setting switched on or off, from the private ip range behind the layer 3 switch i cannot ping pfSense or connect through the NAT rule, which works fine from neighbouring servers in the range

      Firewall logs says the traffic is accepted, and if i run wireshark on the server, it shows tcp retransmits and acks for unseen segments etc, which is telling me only some of the traffic is able to get through, and some of it not, not enough for the connection to work.

      if i try "disable all packet filtering" the ping does start to work

      any ideas or known issues?

      Thanks

      1 Reply Last reply Reply Quote 0
      • D
        diaF
        last edited by

        narrowed down the issue

        if i select the default gateway under interface configuration, and then setup the alternative gateway and the route under routing it doesnt work

        if i leave the interface configuration without a gateway, but setup both gateways under routing, make the one default, and point the other route to the other gateway, it works perfectly!!!

        is this some sort of bug? or am i missing something?

        1 Reply Last reply Reply Quote 0
        • R
          richm
          last edited by

          I am seeing the same behavior. The ruleset with gateway enabled on my wan interface has a route-to rule which seemed to override my system routing table:

          pass out route-to (msk0 172.16.11.7) inet from 172.16.11.69 to ! 172.16.11.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"

          Setting the gateway to none on the WAN the interface tab and making the route default under system routing also fixed the issue for me.

          This was on Release 2.1:
          2.1-RELEASE (amd64)
          built on Wed Sep 11 18:17:48 EDT 2013
          FreeBSD 8.3-RELEASE-p11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.