Project

General

Profile

Bug #4566

Gateway marked as down not skipped when individually chosen with "Skip rules when gateway down" selected

Added by Bipin Chandra about 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Category:
Gateways
Target version:
Start date:
03/31/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

i have a openvpn client tunnel setup and i use it for voip as my isp blocks voip and that works fine, i was recently testing "Skip rules when gateway is down" check box feature and for that the openvpn gateway i tried to mark gateway as down as i wanted to see with skip rules ticked was that rule skipped but it seems it doesnt so could be the mark gateway down feature doesnt work or the skip rule isnt working when gateway is marked down manually

CropperCapture[2].jpg (37.2 KB) CropperCapture[2].jpg Bipin Chandra, 04/02/2015 08:38 AM
CropperCapture[3].jpg (15.2 KB) CropperCapture[3].jpg Bipin Chandra, 04/02/2015 08:38 AM
CropperCapture[4].jpg (18.8 KB) CropperCapture[4].jpg Bipin Chandra, 04/02/2015 08:38 AM
CropperCapture[5].jpg (10.9 KB) CropperCapture[5].jpg Bipin Chandra, 04/02/2015 08:38 AM

Associated revisions

Revision 1d433e01 (diff)
Added by Phillip Davis about 4 years ago

Bug #4566 Only route-to a gateway if it is not force_down

When generating policy-routing rules there was no check if a gateway had force-down set, so gateway with force_down set would still get policy-routing rules written for it, even if skip_rules_gw_down was enabled.

Revision a4621273 (diff)
Added by Phillip Davis about 4 years ago

Bug #4566 Only route-to a gateway if it is not force_down

When generating policy-routing rules there was no check if a gateway had force-down set, so gateway with force_down set would still get policy-routing rules written for it, even if skip_rules_gw_down was enabled.

History

#1 Updated by Phillip Davis about 4 years ago

Should be fixed by https://github.com/pfsense/pfsense/pull/1594
There did not seem to be any code to handle the mark gateway down setting when processing policy-routing rules.

#2 Updated by Chris Buechler about 4 years ago

  • Subject changed from mrk gateway down in routing has no effect to Gateway marked as down not skipped when individually chosen with "Skip rules when gateway down" selected
  • Category set to Gateways
  • Status changed from New to Confirmed
  • Affected Version changed from 2.2.1 to All

that just omits the route-to when the gateway is disabled, the "skip rules" option skips the rule entirely. that'll need a bit more review. Updated subject to specific issue.

#3 Updated by Bipin Chandra about 4 years ago

ill try the other patch but i gues the skip rules isnt working as well because for voip to work i need to send it through tunnel as directly out of wan is blocked by isp so when tunnel goes down i need to skip the rule entirely or else if any sip packets go directly to isp then they blacklist my IP which causes all UDP traffic to be heavily filtered almost killing all UDP traffic

#4 Updated by Phillip Davis about 4 years ago

The code after my change 1594 effectively removes the force_down gateway from the list, just like other gateways are not put in the list if they are down. The result in these cases is that no "route-to" is put. Then later code checks these conditions and omits the rule entirely if "skip rules when gateway down" is set. I think it will:
a) When gateway is marked down, then make the rule anyway but without the rout-to, this passing the traffic to the routing table.
b) When gateway is marked down and "skip rules when gateway down" is set, omit the rule altogether - so that the traffic might be blocked if there is no other general rule to pass it.

But maybe I missed some other downstream changed that is also needed - it did seem to be too easy/small a fix when I investigated it :)

There is also the case of marking force_down on a gateway/s that are part of a gateway group, then what happens if all gateway group members end up being down. I haven't tried what happens there. When the whole gateway group is down, then I think the system should be respecting the "skip rules when gateway down" setting when deciding whether to still put the rule in the rule-set.

#5 Updated by Bipin Chandra about 4 years ago

below are the screenshots of the openvpn tunnel being up, firewall rules on lan tab to send traffic out of tunnel and skip rules ticket but the state table shows its trying to send out of the wan ip rather than the tunnel.

i had created a thread initially on the forum thinking the firewall rule isnt working but it seems something else is also wrong somewhere else causing traffic not to be sent out of tunnel inspite of it being up and apinger also showing it up.

#7 Updated by Bipin Chandra about 4 years ago

the last 2 patches for this would solve marked down gateway to be skipped or passed to default gateway but the other issue i started now having in the last 2 posts is inspite of gateway not marked down and gateway being up, traffic still stops going through it

#8 Updated by Bipin Chandra about 4 years ago

i think im suffering from the issue mentioned here https://redmine.pfsense.org/issues/4296#change-17784 as i have the alias with FQDN as well as ip addresses

just wanted to know the patch mentioned there is all that will fix it or there are any more commits relating to this?

#9 Updated by Bipin Chandra about 4 years ago

i tried the patch, it works partially, first i have the rule to pass traffic to sip server through tunnel and next rule block it so it doesnt go out of wan and when i force the vpn gateway down, it shows down everywhere but the sip device on lan is able to register to server but calls then get dropped or dont go through.

sip registration still occurs shown by the below state table entry where as marking it down should omit the rule completely or block any such traffic

LAN udp x.x.x.x:5060 <- 192.168.0.11:5060 MULTIPLE:MULTIPLE
VPN udp 10.10.0.62:5060 (192.168.0.11:5060) -> x.x.x.x:5060 MULTIPLE:MULTIPLE

#10 Updated by Phillip Davis about 4 years ago

When you force a gateway down, there might still be states that are functioning across that gateway - in this case the SIP registration process. The new ruleset gets applied, without the rule to pass traffic, but the existing state/s are not removed. We know that the gateway is still physically working, so that would be why the registration function keeps working but new calls do not work.
System->Advanced, Miscellaneous "State Killing on Gateway Failure" should clear up old states when the gateway is forced down. See if that works in conjunction with "Mark Gateway Down".

#11 Updated by Bipin Chandra about 4 years ago

yes but sip registration states still get created after i manually removed the existing states and even shutdown my sip devices for timeout period.

that state table entry gets created even after killing it multiple times so could be manually removing them doesnt work i guess

#12 Updated by Bipin Chandra about 4 years ago

bytheway that state killing gateway failure is unticked

#13 Updated by Chris Buechler about 4 years ago

  • Target version changed from 2.2.2 to 2.2.3

patch merged that helps here, pushing forward for additional review of this circumstance in general

#14 Updated by Chris Buechler about 4 years ago

  • Target version changed from 2.2.3 to 2.3

#15 Updated by Jim Thompson over 3 years ago

  • Assignee set to Chris Buechler

assigned back to cmb, because who can tell what the current condition of this is?

Once he evaluates, we'll figure out if this still needs work.

#16 Updated by Chris Buechler over 3 years ago

  • Status changed from Confirmed to Resolved

this all works correctly. The gateway's omitted when disabled or down at default settings, and the entire rule is omitted if "Do not create rules when gateway is down" is configured.

Also available in: Atom PDF