Re: [pfSense] static route issue

Mon, 26 Jun 2017 02:22:55 -0700 




Hi,

WAN: 192.168.105.50 (block private nets not checked),
     def gw 192.168.105.254
LAN: 192.168.158.254/24

I have a route to 10.127.128.0/24 over 192.168.105.234, so

- I add 192.168.105.234 as an extra gateway on WAN
- I add a static route for 10.127.128.0/24 over 192.168.105.234

and packets still go to the .254:

[2.3.4-RELEASE][admin@pfsense01]/root: traceroute -In 10.127.128.1
traceroute to 10.127.128.1 (10.127.128.1), 64 hops max, 48 byte packets
  1  192.168.105.254  1.013 ms  0.536 ms  0.579 ms
  2  next outside hop etc...

My ipv4 routing table:

[2.3.4-RELEASE][admin@pfsense01]/root: netstat -rn4
Routing tables

Internet:
Destination        Gateway            Flags      Netif Expire
default            192.168.105.254    UGS         em0
10.127.128.0/24    192.168.105.234    UGS         em0
127.0.0.1          link#8             UH          lo0
192.168.105.0/24   link#1             U           em0
192.168.105.50     link#1             UHS         lo0
192.168.158.0/24   link#4             U           em3
192.168.158.254    link#4             UHS         lo0



I don't get it. Does anyone?


Yes.

WANs (interfaces with gateways set on the interface configuration) are treated 
specially. Outgoing connections are flagged with route-to and incoming 
connections are flagged with reply-to.

There are techniques to bypass route-to and reply-to but if you are not using 
gateway groups/multi-wan, the easiest thing might be to just remove the gateway 
from the WAN interface configuration. The gateway will still be there, and 
marked as default. Care will have to be taken because things like Automatic 
Outbound NAT will have to be switched to manual first and subsequently manually 
updated.



I am not using gateway-groups/multi-WAN and removing the default gateway 
from the WAN interface configuration indeed leaves the default gateway 
in the routing table intact and now I can traceroute successfully to 
10.127.128.1


Thanks!




Otherwise, you can bypass reply-to by checking that box in the rules that pass 
the traffic into WAN.

Bypassing route-to is a little more complicated and requires floating rules in 
the outbound direction that match the traffic (destination 10.127.128.0/24 
would probably suffice) without a gateway set (the default route selected).

Even better would probably be to put the second router on a separate transit 
interface on pfSense instead of hanging it out on WAN, if possible.


_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold






















					Reply via email to