Bug #3308
closed
route-to/reply-to not updated when PPP gateway IP changes
0%
Description
I have two WAN interfaces and a firewall rule to make the secondary WAN the gateway for some of the hosts. A screenshot of the rule is attached. The alias "ADSL_Out_Hosts" includes the list of hosts who need the alternate gateway.
This rule has worked flawlessly for over two years, but in the past week it has failed twice. In both cases, all hosts on the LAN reverted to the default gateway. I verified this by logging in to a machine that was on the ADSL_Out_Hosts list and through whatismyipaddress.com saw that it's using the wrong gateway.
The first time this happened I rebooted the firewall and the problem went away.
The second time this happened I went into the rule in the screenshot, checked "Disable this rule", applied the changed, then went in there again and removed the disable checkmark. That, too, fixed the problem.
This pretty much proves in my mind that the problem is with pfSense.
If there is any more information I can provide, I'd be happy to do so. For instance, if there is anything in the logs I can watch out for next time this happens or if there is any diagnostics steps I can take to help pin this down, please let me know.
For reference, this rule has been in place for over two years with not a single issue. I have been running the latest release version for a few months but problems just started last week.
I'm running 2.1-RELEASE (i386) built on Wed Sep 11 18:16:50 EDT 2013, FreeBSD 8.3-RELEASE-p11
Files
Updated by Chris Buechler almost 12 years ago
- Status changed from New to Feedback
not enough info. check Status>Gateways, and the route-to lines in /tmp/rules.debug, guessing one of your gateways is getting marked as offline and hence it switches over.
Updated by Oz Solomon over 11 years ago
This just happened again and per your suggestions I checked Status>Gateways and /tmp/rules.debug.
Status>Gateways showed that both gateways are up - all fine.
I then saved a copy of /tmp/rules.debug, and proceeded to disable, then re-enable my LAN routing rule (as described in the original bug) and took another snapshot of /tmp/rules.debug.
In comparing the changes, I see this before:
GWWAN_ADSL = " route-to ( pppoe0 206.248.154.104 ) "
then this after:
GWWAN_ADSL = " route-to ( pppoe0 206.248.154.122 ) "
There are a whole bunch of those kinds of differences, e.g.
pass in quick on $WAN_ADSL reply-to ( pppoe0 206.248.154.104 ) proto icmp from any to any keep state label "USER_RULE: Ping"
Then
pass in quick on $WAN_ADSL reply-to ( pppoe0 206.248.154.122 ) proto icmp from any to any keep state label "USER_RULE: Ping"
Looks like the pppoe0 address was changed on the ISP side, but pfsense did not update it's internal rules automatically as a result. Disabling the rule and re-enabling it triggered the correct change.
I think this is a genuine bug.
I'm happy to share my copies of rules.debug with you if there is a non-public way to share them.
Updated by Chris Buechler over 9 years ago
- Subject changed from Firewall rule spontaniously stops working to route-to/reply-to not updated when PPP gateway IP changes
- Status changed from Feedback to Closed
the update of route-to/reply-to definitely works in current versions