Bug #1813

Static routes on WAN interfaces overridden by route-to for firewall-initiated traffic

Added by Chris Buechler over 9 years ago. Updated over 4 years ago.

Rules / NAT
Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:
Release Notes:


the 'pass out' rules such as:

pass out route-to ( em1 ) from to ! keep state allow-opts label "let out anything from firewall host itself"

Break connectivity from the firewall itself to any networks reachable via a static route on a WAN for traffic initiated from the firewall itself.

For example if you add a static route in the above scenario pointing to, traffic initiated from the firewall to that destination will go to, not

Associated revisions

Revision 75eb2012 (diff)
Added by Chris Buechler over 12 years ago

run hostap later in script, fixes ral(4) card difference in FreeBSD 7.0. Works with ath(4) also.

Ticket #1813


#1 Updated by Chris Buechler over 9 years ago

  • Priority changed from Normal to High

#2 Updated by Chris Buechler over 9 years ago

floating rules can work around this

#3 Updated by Jim Thompson over 4 years ago

  • Assignee set to Jim Pingle
  • Priority changed from High to Normal

Can't be "high", it's five years old.

JimP, please reeval to see if this is still and issue.

#4 Updated by Jim Pingle over 4 years ago

  • Status changed from New to Confirmed
  • Assignee deleted (Jim Pingle)
  • Affected Version changed from 2.0 to All

It is still an issue but it can be easily worked around by adding a floating rule to pass outbound to the destination network.

We could automatically add rules behind the scenes for static route destinations on WAN-type interfaces that do not use the interface gateway if we wanted, but given that the situation is so rare, we may just want to document the quirk and let the user choose to add the workaround if they need it.

Also available in: Atom PDF