Project

General

Profile

Actions

Bug #6625

closed

firewall forwards all traffic through wan interface, via default gateway, even if alternative route had been installed

Added by Remko Lodder over 7 years ago. Updated about 7 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
07/18/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

We have setup a new pfSense box that will route our VPN traffic between endpoints.
That goes out on our WAN interface which has a default GW assigned.

However, we use a different gateway for our VPN traffic. Setting this gateway does not result in the firewall using the alternative gateway, it is set by static configurations in inc/filter.inc:

3516                         #$ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label
\"let out anything from firewall host itself\"\n";

the same goes for defined IPSEC traffic:

4127                                         $route_to = " route-to ( $interface $gateway ) ";
4128 $reply_to = " reply-to ( $interface $gateway ) ";
4136                                         $route_to = " route-to ( $interface $gateway ) ";
4137 $reply_to = " reply-to ( $interface $gateway ) ";

where we have replaced this $gateway with our external address to bypass the traffic.

Also hashing out line 3516 makes it at least possible to ping the host.

Next to that I noticed that a reguliar host entry is created for the external IP address that has an static entry pointing towards the default gateway instead of the alternative gateway. (there is an /32 also installed for the static entry that we created).

schemantic of what we want:

AP --> IPSEC Tunnel to pfSense --> pfSense box over alternative GW then the default on the WAN
^ WAN Interface ^

If you need additional help/info please let me know then I will try to deliver it.

Actions #1

Updated by Chris Buechler over 7 years ago

  • Status changed from New to Feedback

Hi Remko,
This seems like a duplicate of #1136, is the VPN in this case reachable via a static route?

Actions #2

Updated by Remko Lodder over 7 years ago

Chris Buechler wrote:

Hi Remko,
This seems like a duplicate of #1136, is the VPN in this case reachable via a static route?

Hi Chris,

Yes when we add a static route we can communicate with the VPN. It gets overwritten by pf's route-to/reply-to statements (and the default pass out reply-to statement earlier in the code, before the VPN configuration is loaded into the pf.conf).
hacking out the 'incorrect' settings (for us they are incorrect) still gets the vpn route added (as host route instead of /32 network route) because that is how it is configured within the system.

So there are multiple points that kills this for us...

If needed I can post some configuration examples (with stripping out the public info).

Actions #3

Updated by Gaëtan SLONGO about 7 years ago

Remko Lodder wrote:

We have setup a new pfSense box that will route our VPN traffic between endpoints.
That goes out on our WAN interface which has a default GW assigned.

However, we use a different gateway for our VPN traffic. Setting this gateway does not result in the firewall using the alternative gateway, it is set by static configurations in inc/filter.inc:

3516 #$ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label
\"let out anything from firewall host itself\"\n";

the same goes for defined IPSEC traffic:

4127 $route_to = " route-to ( $interface $gateway ) ";
4128 $reply_to = " reply-to ( $interface $gateway ) ";

4136 $route_to = " route-to ( $interface $gateway ) ";
4137 $reply_to = " reply-to ( $interface $gateway ) ";

where we have replaced this $gateway with our external address to bypass the traffic.

Also hashing out line 3516 makes it at least possible to ping the host.

Next to that I noticed that a reguliar host entry is created for the external IP address that has an static entry pointing towards the default gateway instead of the alternative gateway. (there is an /32 also installed for the static entry that we created).

schemantic of what we want:

AP --> IPSEC Tunnel to pfSense --> pfSense box over alternative GW then the default on the WAN
^ WAN Interface ^

If you need additional help/info please let me know then I will try to deliver it.

Same issue as described here : https://redmine.pfsense.org/issues/7033
A solution would be appreciated :-)

Actions #4

Updated by Jim Pingle about 7 years ago

  • Status changed from Feedback to Duplicate

Duplicate of #1136

Actions #5

Updated by Gaëtan SLONGO about 7 years ago

Jim Pingle wrote:

Duplicate of #1136

Note sure it is really a duplicate. And the #1136 is very old (and seems not fixed). Could it be analysed by a developper ?

Thanks !

Actions #6

Updated by Jim Pingle about 7 years ago

We have, it is.

Actions #7

Updated by Gaëtan SLONGO about 7 years ago

Jim Pingle wrote:

We have, it is.

OK so what would be the solution? Because using floating rules has no effect.. And what is the goal of that rule (let out anything from firewall host itself) ?

Thanks!

Actions #8

Updated by Jim Pingle about 7 years ago

This is a bug reporting system, not a support or discussion platform. Please post on the forum or via some other support channel for assistance.

Actions #9

Updated by Gaëtan SLONGO about 7 years ago

Jim Pingle wrote:

This is a bug reporting system, not a support or discussion platform. Please post on the forum or via some other support channel for assistance.

A topic is opened here https://forum.pfsense.org/index.php?topic=122206.0 but still no solution...

If here, in the bugtracker, we find floating rules should solve the problem, but in facts do not solve it.. It should be ok to post there, no ?
It really seems to be a bug and not bad configuration. If you think you know why we are facing to this behavior and even if this is not a support plateform, it would be much appreciated you give the solution (and maybe close that bugs).. :-)

Actions #10

Updated by Jim Pingle about 7 years ago

That doesn't change the situation. You're posting on closed duplicate tickets and the floating rules do solve the problem when made correctly. The forum is the only place this should be discussed. Again, this is not for discussion.

Actions #11

Updated by Gaëtan SLONGO about 7 years ago

Jim Pingle wrote:

That doesn't change the situation. You're posting on closed duplicate tickets and the floating rules do solve the problem when made correctly. The forum is the only place this should be discussed. Again, this is not for discussion.

I understand but, even if this is not for discussion, it is really difficult to explains what you mean by "when made correctly" ? Everyone would be happy and all other users watching this page will find the solution and we will avoid unuseful replies :-) Or maybe if you have one minute you could reply to this post https://forum.pfsense.org/index.php?topic=122206.0 ?

Again, thank you for advance :-)

Actions

Also available in: Atom PDF