Static routes on WAN interfaces overridden by route-to for firewall-initiated traffic
the 'pass out' rules such as:
pass out route-to ( em1 220.127.116.11 ) from 18.104.22.168 to !22.214.171.124/21 keep state allow-opts label "let out anything from firewall host itself"
Break connectivity from the firewall itself to any networks reachable via a static route on a WAN for traffic initiated from the firewall itself.
For example if you add a static route in the above scenario pointing 126.96.36.199/24 to 188.8.131.52, traffic initiated from the firewall to that destination will go to 184.108.40.206, not 220.127.116.11.
#4 Updated by Jim Pingle over 3 years ago
- Status changed from New to Confirmed
- Assignee deleted (
- Affected Version changed from 2.0 to All
It is still an issue but it can be easily worked around by adding a floating rule to pass outbound to the destination network.
We could automatically add rules behind the scenes for static route destinations on WAN-type interfaces that do not use the interface gateway if we wanted, but given that the situation is so rare, we may just want to document the quirk and let the user choose to add the workaround if they need it.