Project

General

Profile

Actions

Bug #1813

open

Static routes on WAN interfaces overridden by route-to for firewall-initiated traffic

Added by Chris Buechler about 10 years ago. Updated almost 5 years ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
08/22/2011
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

the 'pass out' rules such as:

pass out route-to ( em1 9.2.2.1 ) from 9.2.3.17 to !9.2.2.0/21 keep state allow-opts label "let out anything from firewall host itself"

Break connectivity from the firewall itself to any networks reachable via a static route on a WAN for traffic initiated from the firewall itself.

For example if you add a static route in the above scenario pointing 1.0.0.0/24 to 9.2.3.20, traffic initiated from the firewall to that destination will go to 9.2.2.1, not 9.2.3.20.

Actions #1

Updated by Chris Buechler about 10 years ago

  • Priority changed from Normal to High
Actions #2

Updated by Chris Buechler about 10 years ago

floating rules can work around this

Actions #3

Updated by Jim Thompson almost 5 years ago

  • Assignee set to Jim Pingle
  • Priority changed from High to Normal

Can't be "high", it's five years old.

JimP, please reeval to see if this is still and issue.

Actions #4

Updated by Jim Pingle almost 5 years ago

  • Status changed from New to Confirmed
  • Assignee deleted (Jim Pingle)
  • Affected Version changed from 2.0 to All

It is still an issue but it can be easily worked around by adding a floating rule to pass outbound to the destination network.

We could automatically add rules behind the scenes for static route destinations on WAN-type interfaces that do not use the interface gateway if we wanted, but given that the situation is so rare, we may just want to document the quirk and let the user choose to add the workaround if they need it.

Actions

Also available in: Atom PDF