Project

General

Profile

Bug #10706

OpenVPN routes are removed by disabled static route entries

Added by Christian Fertig 4 months ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Routing
Target version:
-
Start date:
06/26/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:
All

Description

Hi,

this is the ticket for this forum post https://forum.netgate.com/topic/149330/disabled-static-route-deletes-openvpn-s-routes/4

After starting an OpenVPN connection, the routes to the target network are removed after ~5s from the routing table, if they exist as a disabled static route in the pfSense.

Expected behaviour: if something is disabled ignore it. Disabled routes should not have impact on the VPN.

Steps to reproduce:

- Have a working OpenVPN Connection

- create a static route to the vpn targt network
check the disable route checkbox

- while observing the routing table:

  • stop OpenVPN (no route to the the target network obviously)
  • start OpenVPN (route exists for about 5s, in my case it's a server pushed route, then it disappears)

History

#1 Updated by Christian Fertig 4 months ago

In my case test system is a SG-3100 with 2.4.5-RELEASE-p1 (arm)

#2 Updated by Jim Pingle 4 months ago

  • Category set to Routing
  • Status changed from New to Not a Bug

You shouldn't have static routes for OpenVPN networks, they have to be managed by OpenVPN.

Disabled routes are cleared to ensure that they are removed properly.

You are basically giving the router conflicting information, that you do and do not want the route, in separate areas, and there isn't a reliable way for the static route code to account for all routes in OpenVPN since they could be in the correct fields, custom options, or pushed from remote sources.

There is nothing actionable here. Remove the routes, don't disable them.

#3 Updated by Christian Fertig 4 months ago

Jim Pingle wrote:

You shouldn't have static routes for OpenVPN networks, they have to be managed by OpenVPN.

I talked about a route to another gateway from which I was migrating my OpenVPN. Never talker about a OpenVPN static route, when OpenVPN service was running on the pfSense. In this case I disabled the route

Disabled routes are cleared to ensure that they are removed properly.

You are basically giving the router conflicting information, that you do and do not want the route, in separate areas, and there isn't a reliable way for the static route code to account for all routes in OpenVPN since they could be in the correct fields, custom options, or pushed from remote sources.

There is nothing actionable here. Remove the routes, don't disable them.

I think this is completly inconsistent behaviour.
The help text claims "Set this option to disable this static route without removing it from the list.". Everyone would expect here, that you could temporarilly disable a route without removing it and that it would not have any side effects like "extra clearing". One would just think "this is a rule in the GUI, which is disabled.". It's even grayed out. It's like a firewall rule, which is temporarily disabled.

I've got a disabled static route to an ipsec network too - this route exists in the routing table and is not cleared.

#4 Updated by Steve Wheeler about 1 month ago

  • Status changed from Not a Bug to New

If a static route is disabled at run-time it is reasonable to expect it to be removed from the system routing table. If that conflicts with OpenVPN then you will see problems until OpenVPN is restarted and re-adds the routes. That is the expected behaviour.

What seems unreasonable here is that disabled static routes do anything at all at boot. I would not expect it to conflict with anything at that point.

If that is the expected behaviour it should probably at least be noted on the static routes page.

Also available in: Atom PDF