Project

General

Profile

Actions
Copy link

Bug #7033

closed

Hidden rule break the policy routing

Added by Maxence Sartiaux almost 8 years ago. Updated almost 8 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
12/23/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.2
Affected Architecture:
All

Description

Hello

I found a hidden rule who break the policy routing.

The rule :
pass out route-to ( lagg0_vlan2000 192.168.0.5 ) from 192.168.0.10 to !192.168.0.0/24 tracker 1000008011 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( lagg0_vlan2000 192.168.0.5 ) from 192.168.0.12 to !192.168.0.0/24 tracker 1000008012 keep state allow-opts label "let out anything from firewall host itself"

If i create a rule for routing a specific traffic to an other gateway (192.168.0.1) which is on the same subnet as my default gateway (192.168.0.5) the traffic will always be routed to my default gateway (192.168.0.5) because of this hidden rule.
If i create the rule to a gateway in an other subnet (172.19.11.3 for exemple), the policy routing work well.

On this topic you can have more informations about my setup and the bug.

https://forum.pfsense.org/index.php?topic=122206.0

Actually i don't understand the real purpose of this rule. Following the code, this hidden rule is not applied to "virtual" interfaces (openvpn/l2tp/ipsec interfaces), it's only applied for the firewall ip and the vip on the wan side.

Thank you.

Files

2665af6955eeb7bb48c0472ca4926722.png (39.4 KB) 2665af6955eeb7bb48c0472ca4926722.png Maxence Sartiaux, 01/05/2017 07:20 AM
Actions
Copy link

Also available in: Atom PDF