Hi,
WAN: 192.168.105.50 (block private nets not checked),
def gw 192.168.105.254
LAN: 192.168.158.254/24
I have a route to 10.127.128.0/24 over 192.168.105.234, so
- I add 192.168.105.234 as an extra gateway on WAN
- I add a static route for 10.127.128.0/24 over 192.168.105.234
and packets still go to the .254:
[2.3.4-RELEASE][admin@pfsense01]/root: traceroute -In 10.127.128.1
traceroute to 10.127.128.1 (10.127.128.1), 64 hops max, 48 byte packets
1 192.168.105.254 1.013 ms 0.536 ms 0.579 ms
2 next outside hop etc...
My ipv4 routing table:
[2.3.4-RELEASE][admin@pfsense01]/root: netstat -rn4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.105.254 UGS em0
10.127.128.0/24 192.168.105.234 UGS em0
127.0.0.1 link#8 UH lo0
192.168.105.0/24 link#1 U em0
192.168.105.50 link#1 UHS lo0
192.168.158.0/24 link#4 U em3
192.168.158.254 link#4 UHS lo0
I don't get it. Does anyone?
Yes.
WANs (interfaces with gateways set on the interface configuration) are treated
specially. Outgoing connections are flagged with route-to and incoming
connections are flagged with reply-to.
There are techniques to bypass route-to and reply-to but if you are not using
gateway groups/multi-wan, the easiest thing might be to just remove the gateway
from the WAN interface configuration. The gateway will still be there, and
marked as default. Care will have to be taken because things like Automatic
Outbound NAT will have to be switched to manual first and subsequently manually
updated.
I am not using gateway-groups/multi-WAN and removing the default gateway
from the WAN interface configuration indeed leaves the default gateway
in the routing table intact and now I can traceroute successfully to
10.127.128.1
Thanks!
Otherwise, you can bypass reply-to by checking that box in the rules that pass
the traffic into WAN.
Bypassing route-to is a little more complicated and requires floating rules in
the outbound direction that match the traffic (destination 10.127.128.0/24
would probably suffice) without a gateway set (the default route selected).
Even better would probably be to put the second router on a separate transit
interface on pfSense instead of hanging it out on WAN, if possible.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold