Project

General

Profile

Actions

Bug #10706

closed

Kernel route table entries are removed if they match disabled static route entries

Added by Christian Fertig over 3 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Routing
Target version:
Start date:
06/26/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
Affected Architecture:
All

Description

Hi,

this is the ticket for this forum post https://forum.netgate.com/topic/149330/disabled-static-route-deletes-openvpn-s-routes/4

After starting an OpenVPN connection, the routes to the target network are removed after ~5s from the routing table, if they exist as a disabled static route in the pfSense.

Expected behaviour: if something is disabled ignore it. Disabled routes should not have impact on the VPN.

Steps to reproduce:

- Have a working OpenVPN Connection

- create a static route to the vpn targt network
check the disable route checkbox

- while observing the routing table:

  • stop OpenVPN (no route to the the target network obviously)
  • start OpenVPN (route exists for about 5s, in my case it's a server pushed route, then it disappears)
Actions #1

Updated by Christian Fertig over 3 years ago

In my case test system is a SG-3100 with 2.4.5-RELEASE-p1 (arm)

Actions #2

Updated by Jim Pingle over 3 years ago

  • Category set to Routing
  • Status changed from New to Not a Bug

You shouldn't have static routes for OpenVPN networks, they have to be managed by OpenVPN.

Disabled routes are cleared to ensure that they are removed properly.

You are basically giving the router conflicting information, that you do and do not want the route, in separate areas, and there isn't a reliable way for the static route code to account for all routes in OpenVPN since they could be in the correct fields, custom options, or pushed from remote sources.

There is nothing actionable here. Remove the routes, don't disable them.

Actions #3

Updated by Christian Fertig over 3 years ago

Jim Pingle wrote:

You shouldn't have static routes for OpenVPN networks, they have to be managed by OpenVPN.

I talked about a route to another gateway from which I was migrating my OpenVPN. Never talker about a OpenVPN static route, when OpenVPN service was running on the pfSense. In this case I disabled the route

Disabled routes are cleared to ensure that they are removed properly.

You are basically giving the router conflicting information, that you do and do not want the route, in separate areas, and there isn't a reliable way for the static route code to account for all routes in OpenVPN since they could be in the correct fields, custom options, or pushed from remote sources.

There is nothing actionable here. Remove the routes, don't disable them.

I think this is completly inconsistent behaviour.
The help text claims "Set this option to disable this static route without removing it from the list.". Everyone would expect here, that you could temporarilly disable a route without removing it and that it would not have any side effects like "extra clearing". One would just think "this is a rule in the GUI, which is disabled.". It's even grayed out. It's like a firewall rule, which is temporarily disabled.

I've got a disabled static route to an ipsec network too - this route exists in the routing table and is not cleared.

Actions #4

Updated by Steve Wheeler over 3 years ago

  • Status changed from Not a Bug to New

If a static route is disabled at run-time it is reasonable to expect it to be removed from the system routing table. If that conflicts with OpenVPN then you will see problems until OpenVPN is restarted and re-adds the routes. That is the expected behaviour.

What seems unreasonable here is that disabled static routes do anything at all at boot. I would not expect it to conflict with anything at that point.

If that is the expected behaviour it should probably at least be noted on the static routes page.

Actions #5

Updated by Viktor Gurov about 3 years ago

see also #3709

Actions #7

Updated by Jim Pingle almost 3 years ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.6.0
Actions #8

Updated by Anonymous over 2 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #9

Updated by Viktor Gurov over 2 years ago

  • Assignee set to Viktor Gurov
Actions #10

Updated by Jim Pingle over 2 years ago

  • Plus Target Version set to 22.01
Actions #11

Updated by Jim Pingle over 2 years ago

  • Subject changed from OpenVPN routes are removed by disabled static route entries to Kernel route table entries are removed if they match disabled static route entries

Updating subject for release notes.

It's not specific to OpenVPN, routes from any other source could be impacted.

Actions #12

Updated by Marcos M about 2 years ago

  • Status changed from Feedback to Resolved

Tested on 22.01-RELEASE. Disabled routes do not get removed when OpenVPN adds them. Though if they are enabled and re-disabled, they do get removed - this is expected however.

Actions

Also available in: Atom PDF