OPNsense Forum
English Forums => General Discussion => Topic started by: asood on March 03, 2019, 01:20:46 am
-
Hello. I've been using OPNsense for about a month now.
I have a very standard set up with only two interfaces (inside & outside);
and the standard firewall rules (to allow traffic from in to out with NAT).
Everything works fine, but I can't get the static routes to work.
I followed the documentation - created a new gateway - and then simply created a static route on the WAN/outside interface pointing to the next hop for the unique destination network.
It's a very simple and basic step, but it doesn't work.
I'm running the latest release (OPNsense 19.1.2-amd64).
When I run a traceroute from a host on the inside network for a device on the destination network which the static route is for, it still goes through the default gateway.
When I ssh into OPNsense, netstat -rn, the routing table is correct - it shows the new static route.
However, even from ssh, I can't ping a device via the static route.
I don't know if I am missing something very simple or the OPNsense routing isn't working properly.
I'd appreciate it if someone else could test the static routing and confirm that it is or isn't working properly.
Can anyone do that?
Also, if anyone else has come across this problem and figured it out or not, it would be a big help if you could post your experience.
Thanks in advance,
A Sood
=== Solution for anyone else who is new to OPNsense and runs into the same problem ===
So the solution for me was to create another firewall rule
to allow from the lan subnets
with the destination subnet of the static route
via the desired gateway of the static route.
And it must be applied before the default lan to wan via default gateway rule.
-
Sounds like you're talking about port forwarding or policy routing here, unsure what documentation you followed -- it doesn't seem to be the right one though. A bit more detail would be helpful in figuring out what's needed (screenshots would be fine too)
-
Hello. It's just a basic static route; not policy based routing or port forwarding.
-
I got it the static routes to "stick", but it really seems like a hack which shouldn't be necessary.
No matter what I did or tried through the web interface, the static routes just would not take. I tried different combinations of the gateways with default enabled or disabled, different settings for the WAN interface...
Finally, the way I got the static route to take was by ssh into the OPNsense and then create a route
(route add -net 1.1.1.0/24 2.2.2.2^ where 1.1.1.0/24 is the destination subnet and 2.2.2.2 is the gateway).
Note: the gateway (2.2.2.2) must not be set through the web interface.
Hopefully, this will help anyone else with the same issue.
Has anyone else run into the same problem and have an explanation as to why?
A Sood
-
Unfortunately, the static routes set through ssh stopped working after a reboot :(
With the WAN interface set to use DHCP, the static routes set through the web interface work perfectly.
However, if the WAN interface is set with a static IP and manual gateway, the static routes do NOT work.
I'm at the end of my skills and patience. This is a very simple set up which should just work.
Does anyone know how to get the static routes to work with the WAN interface set with a static IP and manual gateway (instead of DHCP)?
A Sood
-
You didn't provide the documentation that you followed as requested, which makes everything a guessing game.
At the very least, try setting up a rule on Lan where you configure Source (anything from one IP to LAN Network depending on needs), Destination:Port, Gateway
-
Hello. I finally figured out why it didn't work. I was missing the step of adding a firewall rule which is applied before the default lan to wan via default gateway rule. I don't know if I just missed it or it isn't included in the documentation.
So the solution for me was to create another firewall rule
to allow the lan subnets
with the destination of the static route
via the desired gateway
and it must be applied before the default lan to wan via default gateway rule.