Bug #1813
open
Static routes on WAN interfaces overridden by route-to for firewall-initiated traffic
0%
Description
the 'pass out' rules such as:
pass out route-to ( em1 9.2.2.1 ) from 9.2.3.17 to !9.2.2.0/21 keep state allow-opts label "let out anything from firewall host itself"
Break connectivity from the firewall itself to any networks reachable via a static route on a WAN for traffic initiated from the firewall itself.
For example if you add a static route in the above scenario pointing 1.0.0.0/24 to 9.2.3.20, traffic initiated from the firewall to that destination will go to 9.2.2.1, not 9.2.3.20.
Updated by Chris Buechler over 13 years ago
- Priority changed from Normal to High
Updated by Jim Thompson about 8 years ago
- Assignee set to Jim Pingle
- Priority changed from High to Normal
Can't be "high", it's five years old.
JimP, please reeval to see if this is still and issue.
Updated by Jim Pingle about 8 years ago
- Status changed from New to Confirmed
- Assignee deleted (
Jim Pingle) - Affected Version changed from 2.0 to All
It is still an issue but it can be easily worked around by adding a floating rule to pass outbound to the destination network.
We could automatically add rules behind the scenes for static route destinations on WAN-type interfaces that do not use the interface gateway if we wanted, but given that the situation is so rare, we may just want to document the quirk and let the user choose to add the workaround if they need it.