Bug #15015
openStatic routes not working
0%
Description
Hello,
This morning I updated to PFSense 2.7.1 from 2.7.0. Now, I just tried to add a dynamic gateway and a static route. Unfortunately, the static route is not being added to the routing table. I restored the VM backup from this morning, before I updated, added the same gateway and static route and it was added to the routing table, and everything works fine.
I've set the priority to Urgent since this is quite bad for a router...?
Site A has a gateway set on the IPSec interface and a route for site C that uses that gateway.
Site B has two gateways (one for each IPSec tunnel) and the following routes:
- route to site A via the IPSec interface - gateway - going to site A
- route to site B via the IPSec interface - gateway - going to site B
Site C has a gateway set on the IPSec interface and a route for site A that uses that gateway.
Site A was updated this morning to PFSense 2.7.1, while Site C is running 2.7.0.
Site A DOES NOT have the static routes added to the routing table.
Site C does have the static routes added to the routing table.
Once I reverted Site A to 2.7.0, I did the same config again and the routes were added to the routing table.
Thank you.
Files
Updated by dylan mendez about 1 year ago
Created 3 VMs
VM 1 - pfSense CE 2.7.0 - Subnet: 192.168.1.0/24 - Connected via VTI IPsec to VM2 (10.10.10.1) - Routes to 192.168.2.0/24 and 192.168.3.0/24 through the tunnel.
VM 2- pfSense+ 23.09 - Subnet: 192.168.2.0/24 - Connected via VTI IPsec to VM1 (10.10.10.2) and VM3 (10.10.10.5)- Routes to 192.168.1.0/24 via IPSec to VM1, as well as routes to 192.168.3.0/24 via IPSec to VM3.
VM 3 - pfSense CE 2.7.1 - Subnet: 192.168.3.0/24 - Connected via VTI IPsec to VM1 (10.10.10.6) - Routes to 192.168.2.0/24 and 192.168.1.0/24 through the tunnel.
All routes are showing up correctly, and communication is good between all VMs. Proceeded to upgrade VM 1 to pfSense CE 2.7.1 after taking snapshot.
Checked VM1 after upgrade, routes are still there, IPSec tunnels are still present.
Updated by dylan mendez about 1 year ago
In this case, my best guess is that the IPSec tunnel is going down for some reason, therefore, the route is no longer there.
Updated by Silviu Bajenaru about 1 year ago
dylan mendez wrote in #note-2:
In this case, my best guess is that the IPSec tunnel is going down for some reason, therefore, the route is no longer there.
I had this same idea, but under Status -> IPSec shows all tunnels showed online...
P.S.: I just reupdated from 2.7.0 to 2.7.1 again and it does the same. Please see the attached screenshots (for some reason images don't show up, here are the links):
https://ibb.co/gD2Rsx6 - tunnel configuration
https://ibb.co/b2K6zMX - tunnel status
https://ibb.co/H23kv4r - netstat output, grepping for 10.101
https://ibb.co/K2YZKgL - Routes table (from GUI)
As I said, this worked on 2.7.0 with no problems. Updated to 2.7.1, this started happening. No clue why.
Changing Phase 2 to 0.0.0.0/0 on both remote and local did nothing to fix the situation (saw this on some post that usually, when you run in routed mode, you'd use 0.0.0.0/0 since it doesn't really matter - please correct this info if it's wrong)
P.S.2: reverted again to 2.7.0 since I need this to work. If I can assist in any way, please let me know.
Updated by dylan mendez 10 months ago
The pictures are no longer there, can you please re upload.
Updated by David L 15 days ago
I have the issue where the static route is not being used as well. I'm using pfSense 2.7.2, it's a fresh enough install that I haven't finished configuring it yet.
As far as I can tell the sequence that has caused the issue was- Fresh install
- configure LAN interface to have network 10.0.42.2/24
- configure VLAN 10 on LAN interface with network 10.0.10.0/24
- configure WAN interface to have network 192.168.1.4/24 with no gateway yet
- add firewall rule to access web gui from WAN interface
- remove IP from LAN
- add gateway 192.168.1.3 as net42gw
- add static route for net 10.0.42.0/24 via net42gw
- add gateway 192.168.1.2 as WANGW
- change default gateway from Automatic to be specifically WANGW
This resulted in the static route being shown on the "Diagnostics -> Routes" page but doing a traceroute (with ICMP) do an address on the 10.0.42.0/24 network results in the 1st hop being 192.168.1.2.
Since then- I've made a backup, re-installed pfsense and restored the backup and the issue persists.
- I've tested my config with changing the setting in "System -> Advanced -> Firewall & NAT" with "Static route filtering - Bypass firewall rules for traffic on the same interface" set to checked, and this works around the problem, but this disables functionality I may want in the future.
It expects
- WAN 192.168.1.4/24
- default gateway 192.168.1.2
- LAN not set
- LAN interface VLAN 10 uses 10.0.10.2/24
- not running DHCP on any interface
- admin access through WAN interface http on port 80
- credentials in the backup are admin/Password321