Project

General

Profile

Actions
Copy link

Bug #7033

closed

Hidden rule break the policy routing

Added by Maxence Sartiaux almost 8 years ago. Updated almost 8 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
12/23/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.2
Affected Architecture:
All

Description

Hello

I found a hidden rule who break the policy routing.

The rule :
pass out route-to ( lagg0_vlan2000 192.168.0.5 ) from 192.168.0.10 to !192.168.0.0/24 tracker 1000008011 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( lagg0_vlan2000 192.168.0.5 ) from 192.168.0.12 to !192.168.0.0/24 tracker 1000008012 keep state allow-opts label "let out anything from firewall host itself"

If i create a rule for routing a specific traffic to an other gateway (192.168.0.1) which is on the same subnet as my default gateway (192.168.0.5) the traffic will always be routed to my default gateway (192.168.0.5) because of this hidden rule.
If i create the rule to a gateway in an other subnet (172.19.11.3 for exemple), the policy routing work well.

On this topic you can have more informations about my setup and the bug.

https://forum.pfsense.org/index.php?topic=122206.0

Actually i don't understand the real purpose of this rule. Following the code, this hidden rule is not applied to "virtual" interfaces (openvpn/l2tp/ipsec interfaces), it's only applied for the firewall ip and the vip on the wan side.

Thank you.

Files

2665af6955eeb7bb48c0472ca4926722.png (39.4 KB) 2665af6955eeb7bb48c0472ca4926722.png Maxence Sartiaux, 01/05/2017 07:20 AM
Actions
Copy link
 #1

Updated by Jim Pingle almost 8 years ago

  • Status changed from New to Duplicate

Duplicate of #1136

If you must have a second gateway on WAN, add floating rules to match the outbound traffic to override the internal rules. See the other ticket for info.

Actions
Copy link
 #2

Updated by Maxence Sartiaux almost 8 years ago

Jim Pingle wrote:

Duplicate of #1136

If you must have a second gateway on WAN, add floating rules to match the outbound traffic to override the internal rules. See the other ticket for info.

Hello,

Our rules are in Floating rules.

Thank you.

Actions
Copy link
 #3

Updated by Gaëtan SLONGO almost 8 years ago

Jim Pingle wrote:

Duplicate of #1136

If you must have a second gateway on WAN, add floating rules to match the outbound traffic to override the internal rules. See the other ticket for info.

Dear Jim, Could you please describe the aim of this rule (let out anything from firewall host itself) ?

A described by Maxence, even if that rules are put in "Floating rules" the behavior is the same. As the only solution at this time is to "hack" the PHP code this is a critical bug for us.

Thanks !

Actions
Copy link

Also available in: Atom PDF