> On Jun 23, 2017, at 2:41 AM, Arjen <[email protected]> wrote: > > > Hi, > > I sent email below a day ago but haven't seen it appearing in the list. Sorry > for the double post if applicable. > > best > Arjen. > > > -------- Forwarded Message -------- > Subject: static route issue > Date: Thu, 22 Jun 2017 09:42:02 +0200 > From: Arjen <[email protected]> > To: [email protected] > > Hi, > > WAN: 192.168.105.50 (block private nets not checked), > def gw 192.168.105.254 > LAN: 192.168.158.254/24 > > I have a route to 10.127.128.0/24 over 192.168.105.234, so > > - I add 192.168.105.234 as an extra gateway on WAN > - I add a static route for 10.127.128.0/24 over 192.168.105.234 > > and packets still go to the .254: > > [2.3.4-RELEASE][admin@pfsense01]/root: traceroute -In 10.127.128.1 > traceroute to 10.127.128.1 (10.127.128.1), 64 hops max, 48 byte packets > 1 192.168.105.254 1.013 ms 0.536 ms 0.579 ms > 2 next outside hop etc... > > My ipv4 routing table: > > [2.3.4-RELEASE][admin@pfsense01]/root: netstat -rn4 > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > default 192.168.105.254 UGS em0 > 10.127.128.0/24 192.168.105.234 UGS em0 > 127.0.0.1 link#8 UH lo0 > 192.168.105.0/24 link#1 U em0 > 192.168.105.50 link#1 UHS lo0 > 192.168.158.0/24 link#4 U em3 > 192.168.158.254 link#4 UHS lo0 > > > > I don't get it. Does anyone?
Yes. WANs (interfaces with gateways set on the interface configuration) are treated specially. Outgoing connections are flagged with route-to and incoming connections are flagged with reply-to. There are techniques to bypass route-to and reply-to but if you are not using gateway groups/multi-wan, the easiest thing might be to just remove the gateway from the WAN interface configuration. The gateway will still be there, and marked as default. Care will have to be taken because things like Automatic Outbound NAT will have to be switched to manual first and subsequently manually updated. Otherwise, you can bypass reply-to by checking that box in the rules that pass the traffic into WAN. Bypassing route-to is a little more complicated and requires floating rules in the outbound direction that match the traffic (destination 10.127.128.0/24 would probably suffice) without a gateway set (the default route selected). Even better would probably be to put the second router on a separate transit interface on pfSense instead of hanging it out on WAN, if possible. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
