Bug #10706
closedKernel route table entries are removed if they match disabled static route entries
100%
Description
Hi,
this is the ticket for this forum post https://forum.netgate.com/topic/149330/disabled-static-route-deletes-openvpn-s-routes/4
After starting an OpenVPN connection, the routes to the target network are removed after ~5s from the routing table, if they exist as a disabled static route in the pfSense.
Expected behaviour: if something is disabled ignore it. Disabled routes should not have impact on the VPN.
Steps to reproduce:
- Have a working OpenVPN Connection
- create a static route to the vpn targt network
check the disable route checkbox
- while observing the routing table:
- stop OpenVPN (no route to the the target network obviously)
- start OpenVPN (route exists for about 5s, in my case it's a server pushed route, then it disappears)
Updated by Christian Fertig over 4 years ago
In my case test system is a SG-3100 with 2.4.5-RELEASE-p1 (arm)
Updated by Jim Pingle over 4 years ago
- Category set to Routing
- Status changed from New to Not a Bug
You shouldn't have static routes for OpenVPN networks, they have to be managed by OpenVPN.
Disabled routes are cleared to ensure that they are removed properly.
You are basically giving the router conflicting information, that you do and do not want the route, in separate areas, and there isn't a reliable way for the static route code to account for all routes in OpenVPN since they could be in the correct fields, custom options, or pushed from remote sources.
There is nothing actionable here. Remove the routes, don't disable them.
Updated by Christian Fertig over 4 years ago
Jim Pingle wrote:
You shouldn't have static routes for OpenVPN networks, they have to be managed by OpenVPN.
I talked about a route to another gateway from which I was migrating my OpenVPN. Never talker about a OpenVPN static route, when OpenVPN service was running on the pfSense. In this case I disabled the route
Disabled routes are cleared to ensure that they are removed properly.
You are basically giving the router conflicting information, that you do and do not want the route, in separate areas, and there isn't a reliable way for the static route code to account for all routes in OpenVPN since they could be in the correct fields, custom options, or pushed from remote sources.
There is nothing actionable here. Remove the routes, don't disable them.
I think this is completly inconsistent behaviour.
The help text claims "Set this option to disable this static route without removing it from the list.". Everyone would expect here, that you could temporarilly disable a route without removing it and that it would not have any side effects like "extra clearing". One would just think "this is a rule in the GUI, which is disabled.". It's even grayed out. It's like a firewall rule, which is temporarily disabled.
I've got a disabled static route to an ipsec network too - this route exists in the routing table and is not cleared.
Updated by Steve Wheeler over 4 years ago
- Status changed from Not a Bug to New
If a static route is disabled at run-time it is reasonable to expect it to be removed from the system routing table. If that conflicts with OpenVPN then you will see problems until OpenVPN is restarted and re-adds the routes. That is the expected behaviour.
What seems unreasonable here is that disabled static routes do anything at all at boot. I would not expect it to conflict with anything at that point.
If that is the expected behaviour it should probably at least be noted on the static routes page.
Updated by Viktor Gurov over 3 years ago
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.6.0
Updated by Anonymous over 3 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset c5bda432e875750e1be03fb82a3cfc0684cb382a.
Updated by Jim Pingle about 3 years ago
- Subject changed from OpenVPN routes are removed by disabled static route entries to Kernel route table entries are removed if they match disabled static route entries
Updating subject for release notes.
It's not specific to OpenVPN, routes from any other source could be impacted.
Updated by Marcos M almost 3 years ago
- Status changed from Feedback to Resolved
Tested on 22.01-RELEASE
. Disabled routes do not get removed when OpenVPN adds them. Though if they are enabled and re-disabled, they do get removed - this is expected however.