Which occurs first: Static routing or fw rule?
-
Hi,
I have two LAN interfaces, 'LAN' and 'OPT1'. Say my LAN is at 192.168.10.1 and my Opt1 is at 192.168.20.1.
Opt1 is connected to another router (ip 192.168.20.2) which again routes traffic to another subnet 192.168.30.0/24
In addition to 'normal' wan access, my LAN workstations need to reach the subnet 192.168.30.0 behind the other router.
First I tried to create an access rule for LAN:
Source: LAN, Dest: 192.168.30.0/24, GW 192.168.20.2 (the other router knows how to route to 192.168.30.0 from that interface.)
But - it didn't make sense to have a rule's gw on a different subnet than its if so obviously I probably need some routing too.But does static routing 'process' the traffic BEFORE or AFTER each interface's fw rules?
How would I config this in pfsense so my LAN workstations traffic with destination 192.168.30/24 is routed via Opt1 to the other router's gateway 192.168.20.2 and not ot the internet as all other traffic from my LAN if.?
Thanks for some light on this issue
regards tor
-
#1: When you set the gateway in the firewall rule you FORCE the traffic to the router you specified as Gateway.
#2: When you create a static route and have as Gateway * then the traffic is processed normal through the routing table.
–> It uses the routingtable to determine where to send the traffic to.The first is policy routing. You could make something like that only UDP gets forced to the specified gateway and all other traffic not.
The second is the normal approach if you just want to reach another subnet. I think you want this.
-
Thanks a lot for this clarification. However if I go for the second solution and I want a static route for all traffic into interface LAN with destination 192.168.30.0 to be routed VIA 192.168.20.2. What do I put in the 'Static routes' fields?
Interface: Which? (if I put LAN here, then LAN's internet access will be lost..)
Destination network: (I assume 192.168.30.1…?)
Gateway: you suggest '*', but how can I avoid that the packets try the wan gateways first..? I thought I had to put 192.168.20.2 to get'em straight through..Thanks for comments
regards
tor -
Hi again,
I would like to go for GruensFroeschli's second solution, however as I mention in the previous post I'm unsure how to set up a correct static route according to what he suggest. Thanks a lot if someone would help me on the tracks again with this
regards
Tor
-
you set static routes under: system –> static routes
Interface: Which? (if I put LAN here, then LAN's internet access will be lost..)
Destination network: (I assume 192.168.30.1…?)
Gateway: you suggest '*', but how can I avoid that the packets try the wan gateways first..? I thought I had to put 192.168.20.2 to get'em straight through..Do not confuse the static routing config-page with the firewall rules config-page.
The * is to be set in the firewall-rule so that the firewall rule uses the routing table to determine where to send traffic.Interface:
@from:Choose which interface this route applies to.
Destination Network:
192.168.30.0/24 (if that is the subnet you want to reach)Gateway:
IP of your router over which the destination subnet is reachable
(is this 192.168.20.2 ?) -
OK, we're talking about traffic coming IN to the LAN interface. Most of this traffic has destination Internet, but occasionally some workstations need to access the 192.168.30.0/24 subnet via OPT1 inferface and the external at router 192.168.20.2
So if I understand you correctly I simply create a Static Route like this:
Interface: LAN
Destination Network: 192.168.30.0/24
Gateway: 192.168.20.2… and this will not affect the LAN interface's traffic bound for the Internet?
The LAN interface has currently only the default fw rule:
Source: 192.168.10.0/24
Destination: any
Gateway: *So I do NOT in this case need an additional fw rule for:
Source: 192.168.10.0/24
Destination: 192.168.30.0/24
Gateway: 192.168.20.2Thanks a lot for your help ;-)
regards
tor
-
well you could do both.
just like i explained above: one is policy routing and the other is "normal" routingSource: 192.168.10.0/24
Destination: any
Gateway: *Gateway: *
Means that the traffic will be routed according to the routing-table.
Since you add a new entry to this table it will be routed correctly.So I do NOT in this case need an additional fw rule for:
Source: 192.168.10.0/24
Destination: 192.168.30.0/24
Gateway: 192.168.20.2If you do it that way you bypass the routing-table and you FORCE the traffic destined to 192.168.30.0/24 to 192.168.20.2
-
If you do it that way you bypass the routing-table and you FORCE the traffic destined to 192.168.30.0/24 to 192.168.20.2
Ah, so firewall rules takes precedence over any static routing! That was my main question in the original post, see subject.
Doesn't Static Routes really care to which interface the traffic enters the pfsense? I just put in an Opt2 interface and added Route2:
Interface: Opt2
Destination Network: 192.168.30.0/24
Gateway: 192.168.20.2Route1 existed already:
Interface: LAN
Destination Network: 192.168.30.0/24
Gateway: 192.168.20.2But when saving Route2 I got 'A route to this destination network already exists' error. Does this mean that when I have created a route for one interface this is valid for all interfaces? In the future I need access from both LAN and Opt2 interfaces to the 192.168.30.0 subnet and I just wanted to test this while on the subject.
regards
tor
-
I think the expression
"Choose which interface this route applies to."
means on which interface the traffic will be sent to the specified gateway.
So you select here the interface on which the subnet in which your router to the other subnet is.
In your case that would be Opt1.
