Incoming traffic going out the wrong interface
MGMT (same subnet as LAN)
Outgoing traffic (upload) from clients goes out the LAN and the WAN as expected.
Incoming traffic (download) comes in the WAN and enters the network through the MGMT interface.
In the original list of System: Routing: Gateways we had three…
GW_WAN which had the IP of the next hop after the firewall
GW_WAN_2 which has the IP of the LAN interface
GW_MGMT which also had the gateway of the LAN interface
I've disabled GW_MGMT but the command: route -v show [host from LAN] still shows traffic going out GW_MGMT
I'm tempted to: route flush but I don't want to interrupt network traffic. I feel like there's definitely a route wrong, I'm just uncertain where to look and whether it can be changed in the GUI or if I need to edit through the console.
Thanks for your time.
you generally don't want gateways for ANY lan network. generally you only have gateways for remote/unknown networks such as your internet connection
The Diagnostics - Routing does show that traffic for one of the three VLANs we're routing is indeed traveling through the wrong interface. But only that one VLAN:
192.168.42.0/23 link#3 U 617683890 1500 igb2
192.168.212.192/26 link#10 U 9233502 1500 igb1_vlan711
192.168.222.192/26 link#11 U 13135977 1500 igb1_vlan1110
Where it says igb2 on the first subnet, it should say igb1_vlan710 (the 710, 711, 1110 are the VLAN tags). This isn't using NAT, I just changed the IPs to private space to protect the innocent.
Under System – routing -- gateways there are two gateways listed. The default is correct but the second gateway...
GW_WAN_2 WAN 192.168.43.254 192.168.43.254
which you'll notice is the highest IP of the first VLAN range.
So color me confused. I'm pretty sure I can just add a static route, but I'm not sure why pfsense is acting this way. The third interface configured with an IP in the first VLAN range (igb2) -- 192.168.42.30 -- is the one claiming all inbound traffic on that VLAN range.
Figured it out. The MGMT interface has the mask wrong: set to /23 (network) instead of /32 (host) so the firewall was routing through it. Changing to /32 and applying immediately fixed the route.