Project

General

Profile

Actions
Copy link

Bug #12630

closed

States are always created on the default gateway interface.

Added by Marcos M over 2 years ago. Updated over 2 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Operating System
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Tested on 21.05 and 22.01.b.20211220.0600.

When a service (like OpenVPN) binds to a specific IP, the states always get created on the interface of the default gateway rather than the interface for which the IP belongs to.

  1. Set up 2 WAN interfaces for testing. Keep WAN1 as default gateway.
  2. Start a ping using WAN2: ping -S 192.0.2.242 198.51.100.2

WAN Interfaces:

vmx1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: WAN1
    options=e000bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    capabilities=f507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
    ether 00:50:56:b2:3c:91
    inet6 fe80::250:56ff:feb2:3c91%vmx1 prefixlen 64 scopeid 0x2
    inet 192.0.2.2 netmask 0xfffffff0 broadcast 192.0.2.15
    inet 192.0.2.4 netmask 0xfffffff0 broadcast 192.0.2.15 vhid 4
    carp: MASTER vhid 4 advbase 1 advskew 0
    media: Ethernet autoselect
    status: active
    supported media:
        media autoselect
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
[...]
vmx3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: WAN2
    options=e000bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    capabilities=f507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
    ether 00:50:56:b2:06:44
    inet6 fe80::250:56ff:feb2:644%vmx3 prefixlen 64 scopeid 0x4
    inet 192.0.2.242 netmask 0xfffffff0 broadcast 192.0.2.255
    inet 192.0.2.244 netmask 0xfffffff0 broadcast 192.0.2.255 vhid 6
    carp: MASTER vhid 6 advbase 1 advskew 0
    media: Ethernet autoselect
    status: active
    supported media:
        media autoselect
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

netstat -rn4

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.0.2.1          UGS        vmx1
10.254.1.0/30      link#3             U          vmx2
10.254.1.1         link#3             UHS         lo0
10.255.5.1         link#7             UH          lo0
127.0.0.1          link#7             UH          lo0
172.19.1.0/24      link#5             U          vmx4
172.19.1.1         link#5             UHS         lo0
172.19.1.3         link#5             UHS         lo0
172.19.2.0/24      link#1             U          vmx0
172.19.2.1         link#1             UHS         lo0
172.19.2.3         link#1             UHS         lo0
192.0.2.0/28       link#2             U          vmx1
192.0.2.2          link#2             UHS         lo0
192.0.2.4          link#2             UHS         lo0
192.0.2.240/28     link#4             U          vmx3
192.0.2.242        link#4             UHS         lo0
192.0.2.244        link#4             UHS         lo0

pfctl -vvss

all icmp 192.0.2.242:54170 -> 198.51.100.2:54170       0:0
   age 00:00:11, expires in 00:00:09, 11:11 pkts, 924:924 bytes, rule 102
   id: bf7ec36100000000 creatorid: 104b3718 gateway: 192.0.2.241
   origif: vmx1

pfctl -vvsr

@102(0) pass out route-to (vmx3 192.0.2.241) inet from 192.0.2.242 to ! 192.0.2.240/28 flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000006963
  [ Evaluations: 245       Packets: 131       Bytes: 10980       States: 1     ]
  [ Inserted: pid 59836 State Creations: 2     ]

Related issues

Related to Regression #13420: TCP traffic sourced from the firewall can only use the default gatewayResolvedKristof Provost

Actions
Related to Todo #15173: Add global option to set default PF State Policy (if-bound vs floating)ResolvedJim Pingle

Actions
Actions
Copy link
 #1

Updated by Marcos M over 2 years ago

Maybe this is related? #10513

Actions
Copy link
 #2

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Not a Bug

This is the expected behavior. The outgoing interface is chosen by the operating system routing table and can't be influenced by pf. Adjustments made by pf using route-to and so on would still have states on whatever interface was chosen by the OS as that's where the packet attempted to exit first.

Actions
Copy link
 #3

Updated by Marcos M over 1 year ago

  • Related to Regression #13420: TCP traffic sourced from the firewall can only use the default gateway added
Actions
Copy link
 #4

Updated by Marcos M 3 months ago

  • Related to Todo #15220: Handle ``route-to`` and ``reply-to`` states when using the ``if-bound`` state policy added
Actions
Copy link
 #5

Updated by Marcos M 3 months ago

  • Related to Todo #15173: Add global option to set default PF State Policy (if-bound vs floating) added
Actions
Copy link
 #6

Updated by Marcos M 3 months ago

  • Related to deleted (Todo #15220: Handle ``route-to`` and ``reply-to`` states when using the ``if-bound`` state policy)
Actions
Copy link

Also available in: Atom PDF