Static route bug?



  • Hi

    I am trying to setup pfSense to front servers hosted inside Hyperv, i am using the pfSense-LiveCD-2.1-RELEASE-amd64-hyperv-kernel-20130915-1129 build

    I have moved a virtual server off the public ip range on to a new private range, and then putting the pfSense on the public ip address, and the server can get out to internet fine through the pfSense

    I have setup a nat port forward to get to the servers website via the public ip address on the pfSense
    which works fine from neighbouring servers, ive also setup icmp rules for testing, and works fine from neigbouring servers

    now there is another router (layer 3 switch) in the same public ip range, that routes to another private ip range to access the servers, which works fine with the other neighbouring servers not put through the pfSense, as they have a persistent route telling them to find the private ip range at the layer 3 switch

    I have loaded this l3switch router as an additional gateway on the pfSense and have loaded the private ip range to go through it, i have also disabled block private/bogon networks on every interface

    now with "bypass firewall rules for traffic on the same interface" switched on, i can ping that private ip range from the server behind the pfSense, with it switched off i cannot.

    now for the main problem, with that setting switched on or off, from the private ip range behind the layer 3 switch i cannot ping pfSense or connect through the NAT rule, which works fine from neighbouring servers in the range

    Firewall logs says the traffic is accepted, and if i run wireshark on the server, it shows tcp retransmits and acks for unseen segments etc, which is telling me only some of the traffic is able to get through, and some of it not, not enough for the connection to work.

    if i try "disable all packet filtering" the ping does start to work

    any ideas or known issues?

    Thanks



  • narrowed down the issue

    if i select the default gateway under interface configuration, and then setup the alternative gateway and the route under routing it doesnt work

    if i leave the interface configuration without a gateway, but setup both gateways under routing, make the one default, and point the other route to the other gateway, it works perfectly!!!

    is this some sort of bug? or am i missing something?



  • I am seeing the same behavior. The ruleset with gateway enabled on my wan interface has a route-to rule which seemed to override my system routing table:

    pass out route-to (msk0 172.16.11.7) inet from 172.16.11.69 to ! 172.16.11.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"

    Setting the gateway to none on the WAN the interface tab and making the route default under system routing also fixed the issue for me.

    This was on Release 2.1:
    2.1-RELEASE (amd64)
    built on Wed Sep 11 18:17:48 EDT 2013
    FreeBSD 8.3-RELEASE-p11