Static route with interface

  • Hi,
    I just got a second WAN, and modem is in bridge mode. It gives IP, DNS & Gateway to Pfsense, with the correct MAC spoofing
    ISP force DHCP, no way to use static config for security reasons.

    Only problem is the gateway, with an IP outside the WAN network.

    I can make it working with :
    route add -inet -link -iface em2

    But after some time (10 minutes it seems) connexion fails, no traffic anymore to the gateway.
    I should add that I monitor one of the DNS for online check, and continuous ping gives me allways a 10ms ping, stable and always there.

    Route is still there in netmap -nr, but no more traffic even 1 hour later.

    if I disable WAN2 interface, re-enable, then add again the route, this start again to work.

    I guess that some SSH hacking in routes is not a good idea with a GUI/database router as Pfsense, so I tried to add this route in the interface.

    In System/routing/route, I can add a static route, but only to WAN2 IP range, not to WAN2 interface (em2)

    Any Idea ?

  • Hi, Thnaks for pointing me on this post, I did not find it.

    I have a static IP, so it should be easier.

    But, my ISP force DHCP, and the DHCP serveur gives the gateway.
    Routing to IP from the GUI should create internaly a rules like :
    route add -inet  -link  -inet as is the gateway from DHCP and identify my WAN in static rules, but is also my real GW..

    And my CLI route add -inet -link -iface em2 is working. Except it cut every 10 min for 10 min if I do not reset WAN interface before..


  • Hi.

    I really don't understand/ And the more testing, the less I understand.

    Modem is in bridge, and give through DHCP ip, Mask, DNS, and gatewxay outside the IP subnet.  OK
    Adding route through Console make the trick and internet access is OK… For 10 minutes approx.
    Then It's down for approx 10 min. Then Up again, etc..

    I tried with Ipcop on a VM, no problem. I also tried with a Cisco Meraki, no problem.

    I also have another ISP, modem in bridge mode, stable for months with my Pfsense.

    Does anyone has a clue or even just an idea how to log and identify this problem ?

  • It would be interesting to see what DHCP options the server gives to you. Could you please post a packet capture of DHCPACK?

  • Hi Thanks,
    i did'nt know about packet capture inside Pfsense. Great tool.

    16:11:59.654405 00:0c:29:4f:xx:xx > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
        185.45.xx.xx.68 > [udp sum ok] BOOTP/DHCP, Request from 00:0c:29:4f:bf:8a, length 300, xid 0x713f4345, Flags [none] (0x0000)
      Client-Ethernet-Address 00:0c:29:4f:xx:xx
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Request
        Requested-IP Option 50, length 4: 185.45.xx.xx
        Client-ID Option 61, length 7: ether 00:0c:29:4f:xx:xx
        Hostname Option 12, length 7: "pfsense"
        Parameter-Request Option 55, length 9:
          Subnet-Mask, BR, Time-Zone, Classless-Static-Route
          Default-Gateway, Domain-Name, Domain-Name-Server, Hostname
          Option 119

    16:11:59.770129 e0:97:96:a2:xx:xx > 00:0c:29:4f:xx:xx, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 63, id 50246, offset 0, flags [DF], proto UDP (17), length 328)
        172.16.100.xx.67 > 185.45.xx.xx.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, hops 1, xid 0x713f4345, Flags [none] (0x0000)
      Your-IP 185.45.xx.xx
      Gateway-IP 172.16.102.xx
      Client-Ethernet-Address 00:0c:29:4f:xx:xx
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: ACK
        Server-ID Option 54, length 4: 172.16.100.xx
        Lease-Time Option 51, length 4: 150000
        Subnet-Mask Option 1, length 4:
        Default-Gateway Option 3, length 4:
        Domain-Name-Server Option 6, length 8: 178.250.xx.xx,178.250.xx.xx

    I am going to get some full wireshark log at up and down time and try to find some clue..