https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162022-01-17T07:27:57ZpfSense bugtrackerpfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=583812022-01-17T07:27:57ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Pull Request Review</i></li></ul> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=594582022-03-03T08:54:49ZJim Pingle
<ul><li><strong>Target version</strong> set to <i>2.7.0</i></li><li><strong>Plus Target Version</strong> set to <i>22.05</i></li></ul> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=594862022-03-04T07:30:24ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Pull Request Review</i> to <i>Feedback</i></li><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li></ul><p>PR merged, thanks!</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595252022-03-05T07:54:39ZViktor Gurov
<ul><li><strong>File</strong> <a href="/attachments/4073">Screenshot from 2022-03-05 16-52-57.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/4073/Screenshot%20from%202022-03-05%2016-52-57.png">Screenshot from 2022-03-05 16-52-57.png</a> added</li><li><strong>Status</strong> changed from <i>Feedback</i> to <i>New</i></li></ul><p>after this merge, the "Gateway Edit Page" has double content</p>
<p>fix:<br /><a class="external" href="https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/656">https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/656</a></p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595272022-03-05T09:03:01Z→ luckman212luke.hamburg@gmail.com
<ul></ul><p>Thanks Viktor! Ouch, I don't know how I missed that.</p>
<p>I can't see the private gitlab but I assume you just removed the extra <code>$form->add($section);</code> from L236 right?</p>
<p>e.g.<br /><a class="external" href="https://github.com/luckman212/pfsense/compare/dd965531e98962545f6cc4cf461f5089f27da283..316f83da8d1794abfeb809c17e73ba0cc333d3cd">https://github.com/luckman212/pfsense/compare/dd965531e98962545f6cc4cf461f5089f27da283..316f83da8d1794abfeb809c17e73ba0cc333d3cd</a></p>
<p>I posted a <a href="https://github.com/pfsense/pfsense/pull/4551#issue-1104185037" class="external">large warning note</a> on the original PR#4551 explaining to back out that patch and use the new commit instead, in case anyone had manually added it.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595302022-03-05T09:13:19ZViktor Gurov
<ul></ul><p>→ luckman212 wrote in <a href="#note-5">#note-5</a>:</p>
<blockquote>
<p>Thanks Viktor! Ouch, I don't know how I missed that.</p>
<p>I can't see the private gitlab but I assume you just removed the extra <code>$form->add($section);</code> from L236 right?</p>
</blockquote>
<p>Right<br />You'll see this change after merging</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595342022-03-05T10:02:15ZFlole Systems
<ul></ul><p>With this change it should be possible to set the same monitor IP on multiple different gateways, right? The GUI isn't allowing that though.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595352022-03-05T10:11:46ZFlole Systems
<ul></ul><p>Also I tried to enable this option for all my Gateways now but the static routes are still there. So it looks like that applying the gateway changes doesn't remove previously created routes properly? I can't seem to find a codepath for that either</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595372022-03-05T10:23:03Z→ luckman212luke.hamburg@gmail.com
<ul></ul><p><a class="user active" href="https://redmine.pfsense.org/users/6873">Flole Systems</a> Systems you're right that in theory you should be able to use the same monitor IP for multiple gateways after applying this change. I didn't consider that but I will test a patch and see if it works properly.</p>
<p>As far as removing the static routes, you're also right about that - after applying this change, currently a reboot is required. It should probably be stated in the GUI somewhere. I'm going to experiment with a better version of this patch that removes the static route without requiring a reboot.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595382022-03-05T10:42:31ZFlole Systems
<ul></ul><p>Wow thanks, that was a fast response! I think you simply need to check if the option is set for the current gateway or for all gateways and then just omit that monitor address check for this gateway, I think it's as simple as that.</p>
<p>If a reboot can somehow be avoided that should be done, rebooting a firewall is really no fun ;) I think you can do something similar to <a class="external" href="https://github.com/luckman212/pfsense/blob/dd965531e98962545f6cc4cf461f5089f27da283/src/etc/inc/gwlb.inc#L2115">https://github.com/luckman212/pfsense/blob/dd965531e98962545f6cc4cf461f5089f27da283/src/etc/inc/gwlb.inc#L2115</a>, so if it was disabled and is now enabled remove the routes. Don't forget that this needs to happen for the global option aswell. If that is changed there doesn't seem to be the necessary "reload all gateways and create/delete the necessary routes" either?</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595642022-03-07T07:41:13ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Pull Request Review</i></li></ul><p>Adding cleanup for routes when activating the option should probably get filed under a separate request, since this is working as originally intended by stopping the routes from being created on future attempts.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595682022-03-07T07:53:13Z→ luckman212luke.hamburg@gmail.com
<ul></ul><p><a class="user active" href="https://redmine.pfsense.org/users/10">Jim Pingle</a> I was going to open a new PR for the additional 2 changes:</p>
<p>1) allow same monitor IP to be used across multiple gateways<br />2) add/delete routes without requiring a reboot, if setting change requires it</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595732022-03-07T08:45:01ZJim Pingle
<ul></ul><p>#1 should definitely be in its own separate PR with its own feature request. I'm not sure that's viable even without static routes as the traffic will likely flow out the default gateway without the routes in place. Even if the outbound floating rules nudge it with route-to out another interface it still hits the default gw interface first, so it may not work as intended. It will need heavy testing to ensure it's doing the right thing in each case. And that said, using the same monitor IP address on multiple interfaces is of dubious use anyhow given there are so many valid choices to use for monitor addresses in the world.</p>
<p>I'd still put <a class="issue tracker-1 status-3 priority-4 priority-default closed parent" title="Bug: Gateway not added when switching from DHCP to static (Resolved)" href="https://redmine.pfsense.org/issues/2">#2</a> in a separate redmine issue as well so this can be tested separately.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595742022-03-07T08:55:49ZFlole Systems
<ul></ul><p>dpinger binds itself to an interface, the routing table is never used since dpinger makes that decision. I am sometimes using dpinger with the monitoring section (under status, the one with the graphs) to compare the latency and packet loss for multiple gateways, so ideally they all have the same monitoring IP so that the results are actually comparable. Especially when there's packet loss on a route.</p>
<p>Also we just got rid of the routing rules (that's what this is all about), so if it causes issues (like traffic taking the default route) then they should have been tested and detected before this was merged.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595752022-03-07T09:01:32ZJim Pingle
<ul></ul><p>Flole Systems wrote in <a href="#note-14">#note-14</a>:</p>
<blockquote>
<p>dpinger binds itself to an interface, the routing table is never used since dpinger makes that decision.</p>
</blockquote>
<p>Just because it binds to an interface does not mean a packet exits that interface. It still follows the routing table.</p>
<blockquote>
<p>I am sometimes using dpinger with the monitoring section (under status, the one with the graphs) to compare the latency and packet loss for multiple gateways, so ideally they all have the same monitoring IP so that the results are actually comparable. Especially when there's packet loss on a route.</p>
</blockquote>
<p>It makes more sense to use multiple addresses at the same destination network with static routes than the exact same address and rely on binding. In theory your method may sound good but in practice I don't see it having the intended result. It may appear to work short term but when tested thoroughly it's not likely to withstand real-world scrutiny.</p>
<blockquote>
<p>Also we just got rid of the routing rules (that's what this is all about), so if it causes issues (like traffic taking the default route) then they should have been tested and detected before this was merged.</p>
</blockquote>
<p>That is unrelated to this request as it's just one of several possible use cases for the option.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595782022-03-07T10:16:29ZFlole Systems
<ul></ul><p>Uhm, this PR gets rid of the entries in the routing table. If that's a problem then this shouldn't have been merged.</p>
<p>Binding to an interfaces ignores the interface preferences of the routing table, so even if the routing table would route the packets through a different interface then binding to another interface bypasses that.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=595792022-03-07T10:21:02ZJim Pingle
<ul></ul><p>Flole Systems wrote in <a href="#note-16">#note-16</a>:</p>
<blockquote>
<p>Uhm, this PR gets rid of the entries in the routing table. If that's a problem then this shouldn't have been merged.</p>
</blockquote>
<p>As I said there are multiple use cases which may benefit. Someone may manage the routes another way (manually via static routes, a dynamic routing protocol, etc), or they may have a use case that doesn't require the routes and they conflict somehow.</p>
<blockquote>
<p>Binding to an interfaces ignores the interface preferences of the routing table, so even if the routing table would route the packets through a different interface then binding to another interface bypasses that.</p>
</blockquote>
<p>Binding to an interface does not change routing. It only changes the source address of the packets. If you bind a service to LAN and it tries to send out a packet to an Internet host, it will exit the default gateway.</p>
<p>We have automatic route-to rules in place outbound on the WANs which attempt to nudge traffic out the expected path so in most cases this will appear to work as intended but with some side effects. For example the packet will hit outbound floating rules on the default gateway WAN even if it's supposed to exit a different WAN. If it doesn't match floating rules, it will hit the automatic rules with route-to and egress as expected and the user doesn't typically have to care about that -- but it still happens. If there is no default gateway the packets may not exit any interface no matter the binding.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=607392022-04-26T21:38:22ZKristopher Kolpin
<ul></ul><p>The OP's original concern also pops up when using a single physical WAN with multiple PPPoE sessions. Some ISPs allow multiple PPPoE sessions (up to 5 in some cases) as a way to grab additional dynamic "public" IPs. In this situation other problems arise such as the default gateway being the same for all additional public IPs. This in an of itself is fine. However, it breaks dpinger. An error message is returned saying that the dpinger IP is already in use. So, it would seem the automatic route-out rules break in this situation. One might then think, "I'll just use 8.8.8.8 to ping gateway status." Well, that then breaks any other device on the LAN pinging 8.8.8.8. Which leads us back to the OP's original concern.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=612252022-05-17T14:19:28ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Pull Request Review</i> to <i>Feedback</i></li></ul><p>PR was merged two months ago.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=612962022-05-20T15:04:07ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>Add option to disable auto-addition of static routes for dpinger</i> to <i>Option to disable auto-addition of static routes for ``dpinger``</i></li></ul><p>Updating subject for release notes.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=615272022-05-31T12:04:57ZChris Linstruth
<ul></ul><p>This tested OK to me. Note that I only tested the checkbox in on the gateway, since it looks like the other subjects were not included in this ticket.</p>
<p>Tested the setting persisted across reboots.</p>
<p>The route is added when the checkbox is checked and saved but it is not removed when it is unchecked and saved. The route is removed if there is a quick edit/save on WAN after unchecking/saving or a reboot. It looks like this is the expected behavior.</p>
<p>I'd call it good.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=615392022-05-31T12:46:45Z→ luckman212luke.hamburg@gmail.com
<ul></ul><p>I have a new PR almost ready that dynamically adds/removes the static routes when the checkbox is changed without requiring a reboot (as requested by <a class="user active" href="https://redmine.pfsense.org/users/6873">Flole Systems</a>)</p>
<p>I know 22.05 (.06?) is imminent so I wasn't sure whether to try to push that now or wait until after.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=615462022-05-31T13:19:01ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>That would have to wait for the next release, make a new feature request issue with a link back to this one to track that.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=616242022-06-01T13:37:59ZJim Pingle
<ul></ul><p>Needed one more fix: <a class="external" href="https://github.com/pfsense/pfsense/pull/4590">https://github.com/pfsense/pfsense/pull/4590</a></p>
<p>That may not make it into 22.05 at this point. If not we can re-target this at 22.09.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=616252022-06-01T13:46:33ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>Feedback</i></li></ul> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=616412022-06-02T09:34:20Z→ luckman212luke.hamburg@gmail.com
<ul></ul><p><a class="user active" href="https://redmine.pfsense.org/users/6873">Flole Systems</a> please test with the updated version of this patch if you have the time: <a class="external" href="https://github.com/pfsense/pfsense/pull/4591">https://github.com/pfsense/pfsense/pull/4591</a></p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=616742022-06-03T07:51:25ZJim Pingle
<ul></ul><p>What's in now will have to be considered on its own -- any refinements should be done on a separate Redmine issue.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=616752022-06-03T09:32:04ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>This works OK as-is. As stated in the comments above it doesn't remove the routes, but the user can reboot or remove them manually in the meantime.</p>
<p>Tested the global option and the per-gateway option to override the global default and it was OK either way. Though another future enhancement might be to allow the override to work both ways as a drop down instead of a checkbox: Use default behavior, always add route, never add route.</p> pfSense - Feature #12687: Option to disable auto-addition of static routes for ``dpinger``https://redmine.pfsense.org/issues/12687?journal_id=616802022-06-03T11:22:26Z→ luckman212luke.hamburg@gmail.com
<ul></ul><p>follow-up issue: <a class="external" href="https://redmine.pfsense.org/issues/13242">https://redmine.pfsense.org/issues/13242</a></p>