Project

General

Profile

Actions

Bug #15015

open

Static routes not working

Added by Silviu Bajenaru about 1 year ago. Updated 15 days ago.

Status:
New
Priority:
Urgent
Assignee:
-
Category:
Routing
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.7.1
Affected Architecture:
amd64

Description

Hello,

This morning I updated to PFSense 2.7.1 from 2.7.0. Now, I just tried to add a dynamic gateway and a static route. Unfortunately, the static route is not being added to the routing table. I restored the VM backup from this morning, before I updated, added the same gateway and static route and it was added to the routing table, and everything works fine.
I've set the priority to Urgent since this is quite bad for a router...?

More info about my setup: I've got three sites, let's call them A, B and C. There is an IPSec tunnel between A and B, and one between B and C. Both tunnels are set with Mode VTI. I've assigned the ipsec interfaces and set the gateways and routes:
Site A has a gateway set on the IPSec interface and a route for site C that uses that gateway.
Site B has two gateways (one for each IPSec tunnel) and the following routes:
  • route to site A via the IPSec interface - gateway - going to site A
  • route to site B via the IPSec interface - gateway - going to site B
    Site C has a gateway set on the IPSec interface and a route for site A that uses that gateway.
    Site A was updated this morning to PFSense 2.7.1, while Site C is running 2.7.0.
    Site A DOES NOT have the static routes added to the routing table.
    Site C does have the static routes added to the routing table.

Once I reverted Site A to 2.7.0, I did the same config again and the routes were added to the routing table.

Thank you.


Files

config-pf-net10.home.net-20241208001817.xml (21 KB) config-pf-net10.home.net-20241208001817.xml pfSense backup of affected system David L, 12/07/2024 02:36 PM
Actions #1

Updated by dylan mendez about 1 year ago

Created 3 VMs

VM 1 - pfSense CE 2.7.0 - Subnet: 192.168.1.0/24 - Connected via VTI IPsec to VM2 (10.10.10.1) - Routes to 192.168.2.0/24 and 192.168.3.0/24 through the tunnel.

VM 2- pfSense+ 23.09 - Subnet: 192.168.2.0/24 - Connected via VTI IPsec to VM1 (10.10.10.2) and VM3 (10.10.10.5)- Routes to 192.168.1.0/24 via IPSec to VM1, as well as routes to 192.168.3.0/24 via IPSec to VM3.

VM 3 - pfSense CE 2.7.1 - Subnet: 192.168.3.0/24 - Connected via VTI IPsec to VM1 (10.10.10.6) - Routes to 192.168.2.0/24 and 192.168.1.0/24 through the tunnel.

All routes are showing up correctly, and communication is good between all VMs. Proceeded to upgrade VM 1 to pfSense CE 2.7.1 after taking snapshot.

Checked VM1 after upgrade, routes are still there, IPSec tunnels are still present.

Actions #2

Updated by dylan mendez about 1 year ago

In this case, my best guess is that the IPSec tunnel is going down for some reason, therefore, the route is no longer there.

Actions #3

Updated by Silviu Bajenaru about 1 year ago

dylan mendez wrote in #note-2:

In this case, my best guess is that the IPSec tunnel is going down for some reason, therefore, the route is no longer there.

I had this same idea, but under Status -> IPSec shows all tunnels showed online...

P.S.: I just reupdated from 2.7.0 to 2.7.1 again and it does the same. Please see the attached screenshots (for some reason images don't show up, here are the links):
https://ibb.co/gD2Rsx6 - tunnel configuration
https://ibb.co/b2K6zMX - tunnel status
https://ibb.co/H23kv4r - netstat output, grepping for 10.101
https://ibb.co/K2YZKgL - Routes table (from GUI)

As I said, this worked on 2.7.0 with no problems. Updated to 2.7.1, this started happening. No clue why.

Changing Phase 2 to 0.0.0.0/0 on both remote and local did nothing to fix the situation (saw this on some post that usually, when you run in routed mode, you'd use 0.0.0.0/0 since it doesn't really matter - please correct this info if it's wrong)

P.S.2: reverted again to 2.7.0 since I need this to work. If I can assist in any way, please let me know.

Actions #4

Updated by dylan mendez 10 months ago

The pictures are no longer there, can you please re upload.

Actions #5

Updated by David L 15 days ago

I have the issue where the static route is not being used as well. I'm using pfSense 2.7.2, it's a fresh enough install that I haven't finished configuring it yet.

As far as I can tell the sequence that has caused the issue was
  1. Fresh install
  2. configure LAN interface to have network 10.0.42.2/24
  3. configure VLAN 10 on LAN interface with network 10.0.10.0/24
  4. configure WAN interface to have network 192.168.1.4/24 with no gateway yet
  5. add firewall rule to access web gui from WAN interface
  6. remove IP from LAN
  7. add gateway 192.168.1.3 as net42gw
  8. add static route for net 10.0.42.0/24 via net42gw
  9. add gateway 192.168.1.2 as WANGW
  10. change default gateway from Automatic to be specifically WANGW

This resulted in the static route being shown on the "Diagnostics -> Routes" page but doing a traceroute (with ICMP) do an address on the 10.0.42.0/24 network results in the 1st hop being 192.168.1.2.

Since then
  • I've made a backup, re-installed pfsense and restored the backup and the issue persists.
  • I've tested my config with changing the setting in "System -> Advanced -> Firewall & NAT" with "Static route filtering - Bypass firewall rules for traffic on the same interface" set to checked, and this works around the problem, but this disables functionality I may want in the future.
Seeing as there isn't anything secure in the setup yet, I've attached the backup from the affected system.
It expects
  • WAN 192.168.1.4/24
  • default gateway 192.168.1.2
  • LAN not set
  • LAN interface VLAN 10 uses 10.0.10.2/24
  • not running DHCP on any interface
  • admin access through WAN interface http on port 80
  • credentials in the backup are admin/Password321
Actions

Also available in: Atom PDF