Discussion:
policy routing issue : stumped : more
mayak-cq
2011-08-12 13:54:38 UTC
Permalink
hi again,

i am now wondering why it is necessary to have gateway defined in the
WAN interface ...

if in the gateway definition, a gateway is flagged as the default, that
should be enough, no?

what appears to be happening is that policy routes as defined in LAN
rules are being overwritten by the gateway as defined in the WAN
interface.

ouch.

cheers

m


---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Chris Buechler
2011-08-12 21:00:42 UTC
Permalink
Post by mayak-cq
hi again,
i am now wondering why it is necessary to have gateway defined in the
WAN interface ...
Because that's what determines for NAT purposes whether something is
treated as a WAN.
Post by mayak-cq
if in the gateway definition, a gateway is flagged as the default, that
should be enough, no?
That's where your Internet traffic that doesn't match policy routing goes.
Post by mayak-cq
what appears to be happening is that policy routes as defined in LAN
rules are being overwritten by the gateway as defined in the WAN
interface.
It does not, policy routing rules override the system routing table.

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
mayak-cq
2011-08-13 09:34:51 UTC
Permalink
hi chris
Post by Chris Buechler
Post by mayak-cq
hi again,
i am now wondering why it is necessary to have gateway defined in the
WAN interface ...
Because that's what determines for NAT purposes whether something is
treated as a WAN.
Post by mayak-cq
if in the gateway definition, a gateway is flagged as the default, that
should be enough, no?
That's where your Internet traffic that doesn't match policy routing goes.
Post by mayak-cq
what appears to be happening is that policy routes as defined in LAN
rules are being overwritten by the gateway as defined in the WAN
interface.
It does not, policy routing rules override the system routing table.
i just tried booting pfsense as a live cd, entered the minimum basic
information, ran tests, and wan interface route overrules my policy
route. this running in a vmware box, but i don't think that should
influence policy routing.

i tested a lan rule that blocks a client, and that worked, and when i
changed back to "pass", the client uses wan interface default route in
stead of policy route. is there a way to query pfsense to show its
routing decision?

thanks

m
mayak-cq
2011-08-15 09:11:21 UTC
Permalink
Post by mayak-cq
hi chris
<snip>
Post by mayak-cq
Post by Chris Buechler
It does not, policy routing rules override the system routing table.
i just tried booting pfsense as a live cd, entered the minimum basic
information, ran tests, and wan interface route overrules my policy
route. this running in a vmware box, but i don't think that should
influence policy routing.
i tested a lan rule that blocks a client, and that worked, and when i
changed back to "pass", the client uses wan interface default route in
stead of policy route. is there a way to query pfsense to show its
routing decision?
i have installed vlans on the wan interface, and policy routing works as
expected.

cheers,

m


---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Jim Pingle
2011-08-15 12:45:28 UTC
Permalink
Post by mayak-cq
Post by mayak-cq
hi chris
<snip>
Post by mayak-cq
Post by Chris Buechler
It does not, policy routing rules override the system routing table.
i just tried booting pfsense as a live cd, entered the minimum basic
information, ran tests, and wan interface route overrules my policy
route. this running in a vmware box, but i don't think that should
influence policy routing.
i tested a lan rule that blocks a client, and that worked, and when i
changed back to "pass", the client uses wan interface default route in
stead of policy route. is there a way to query pfsense to show its
routing decision?
i have installed vlans on the wan interface, and policy routing works as
expected.
It sounds like you were hitting this:
http://redmine.pfsense.org/issues/651

There is an issue with having two gateways on a single interface, moving
to vlans makes them land on separate interfaces, which is known to work
fine so long as they're on different subnets (or at least have different
gateways, but you could still have issues if they share a subnet).

Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
mayak-cq
2011-08-15 14:59:06 UTC
Permalink
Post by Jim Pingle
Post by mayak-cq
Post by mayak-cq
hi chris
<snip>
Post by mayak-cq
Post by Chris Buechler
It does not, policy routing rules override the system routing table.
i just tried booting pfsense as a live cd, entered the minimum basic
information, ran tests, and wan interface route overrules my policy
route. this running in a vmware box, but i don't think that should
influence policy routing.
i tested a lan rule that blocks a client, and that worked, and when i
changed back to "pass", the client uses wan interface default route in
stead of policy route. is there a way to query pfsense to show its
routing decision?
i have installed vlans on the wan interface, and policy routing works as
expected.
http://redmine.pfsense.org/issues/651
There is an issue with having two gateways on a single interface, moving
to vlans makes them land on separate interfaces, which is known to work
fine so long as they're on different subnets (or at least have different
gateways, but you could still have issues if they share a subnet).
hi jim,

yep! that was it -- vlans and different subnets has taken care of the
issue ...

thanks :-)

m


---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org

Loading...