Static routes puzzling me, inconsistent behaviour



  • Hey all,

    I'm seeing some odd behaviour with my static routes, and I'm not sure if I got something wrong along the way.

    Maybe these two images can help.

    ![static routes.JPG](/public/imported_attachments/1/static routes.JPG)
    ![static routes.JPG_thumb](/public/imported_attachments/1/static routes.JPG_thumb)



  • Basically I can see some of my static routes working, and then others don't seem to work. I'm on 1.2 Release, I've reset my states, I even rebooted the firewall. I've tried adding and removing rules, and it just seems to like some and not like others.



  • Try to enable the following option at system>advanced: "Static route filtering: Bypass firewall rules for traffic on the same interface "



  • Thanks, I'm afraid that's already enabled.



  • Are you using policybasedrouting/loadbalancing on that system as well?



  • No sir, not on that one.



  • Do yo use IPSEC on that system? If yes is there a tunneldefinition that is conflicting with a subnetrange of your routes? Also if so did you setup static routes for ipsec traffic? Or what is that comment for the one route that is cut off in that screenshot?



  • Sorry, what I am thinking… the previous question regarding loadbalancing... YES we do. I've been working on a few separate problems today and so I got confused which firewall I was talking about. Sorry hoba, we do have load balancing in place, some firewall rules look at the load balancer, others the default routing (as is common).

    @hoba:

    Do yo use IPSEC on that system? If yes is there a tunneldefinition that is conflicting with a subnetrange of your routes? Also if so did you setup static routes for ipsec traffic? Or what is that comment for the one route that is cut off in that screenshot?

    No IPSEC. (I'm sure of it :) )



  • If you have loadbalancer rules they redirect the traffic somewhere before it hit's the systems routingtable. To prevent this from happening create a networksalias with all your remote subnets (like the ones that you have in the routingtable or openvpn or ipsec subnets as well). Then create a firewallrule on top of all your other lan rules like "pass, protocol any, source any, destination <remote-networks-alias>, gateway default. Does it work now? This can be espacially tricky and needs to be done if you are working with loadbalance anything rules at the bottom of your firewallrules.</remote-networks-alias>



  • booyah! That works perfectly.

    It makes sense why that's necessary, but I would really have thought static routes would get processed first. What is the issue there? Is it something I could create a bounty for someone to look into modifying, or is that an OS kinda thing?



  • If we would autoadd rules for static routes it would not be possible anymore to add blocks on them. Nothing that can be solved with a bounty. The firewallrules are processed first before the routingtable is hit. This is just something that you have to know.



  • Fair enough.

    Thanks a lot hoba, your knowledge is much appreciated.


Locked