gateway for static route is ignored

Started by fabel, March 07, 2019, 02:37:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 07, 2019, 02:37:10 PM Last Edit: March 07, 2019, 02:38:51 PM by fabel
Hi,

I have a OPNsense 18.1.13-amd64

no multi-WAN setup and no Firewall rules setup with a specific gateway. but still somehow a static route is ignored for a TCP connection, and goes to the wrong gateway (another gateway on the same interface)


my Destination is in 10.10.0.0/16 (host 10.10.10.32) and should go to 172.23.1.130

if I do a telnet from this host 10.10.10.32 to a host behind my OPnsense, I see the packets to 10.10.10.32 go back via 172.23.1.254 and not 172.23.1.130...


tcpdump::
tcpdump -e -vni vmx4 port 9001
tcpdump: listening on vmx4, link-type EN10MB (Ethernet), capture size 262144 bytes
14:33:31.146357 00:50:28:ec:2d:50 > 00:00:5e:00:01:e8, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 63, id 25813, offset 0, flags [DF], proto TCP (6), length 60)
    10.10.10.32.41118 > 172.21.15.56.9001: Flags [\S], cksum 0x3199 (correct), seq 3448980969, win 29200, options [mss 1460,sackOK,TS val 2772850772 ecr 0,nop,wscale 7], length 0
14:33:31.146599 00:50:56:86:2c:cf > f4:8e:38:02:6c:3c, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    172.21.15.56.9001 > 10.10.10.32.41118: Flags [\S.], cksum 0xd719 (correct), seq 2133773862, ack 3448980970, win 28960, options [mss 1460,sackOK,TS val 696378503 ecr 2772850772,nop,wscale 7], length 0


arp table:
root@fw-int01:/tmp # arp -an |grep  f4:8e:38:02:6c:3c
? (172.23.1.254) at f4:8e:38:02:6c:3c on vmx4 expires in 1129 seconds [ethernet]  < wrong
root@fw-int01:/tmp # arp -an | grep 00:50:28:ec:2d:50
? (172.23.1.131) at 00:50:28:ec:2d:50 on vmx4 expires in 1162 seconds [ethernet]  < correct firewall for 10.10.0.0
arp -an |grep 172.23.1.130
? (172.23.1.130) at 00:00:5e:00:01:84 on vmx4 expires in 225 seconds [ethernet] < correct gateway



My Routing table:

netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            172.23.0.100       UGS        vmx2
10.0.0.0/8         172.23.1.254       UGS        vmx4
10.10.0.0/16       172.23.1.130       UGS        vmx4
100.64.0.0/10      172.23.1.254       UGS        vmx4
100.64.1.108       link#6             UHS         lo0
100.64.1.108/31    link#6             U          vmx5
127.0.0.1          link#7             UH          lo0
155.195.219.112/28 172.23.1.108       UGS        vmx4
172.16.0.0/12      172.23.1.254       UGS        vmx4
172.21.15.0/24     link#4             U          vmx3
172.21.15.1        link#4             UHS         lo0
172.21.15.2        link#4             UHS         lo0
172.21.16.0/24     link#2             U          vmx1
172.21.16.1        link#2             UHS         lo0
172.21.16.2        link#2             UHS         lo0
172.23.0.0/24      link#3             U          vmx2
172.23.0.230       link#3             UHS         lo0
172.23.0.231       link#3             UHS         lo0
172.23.1.0/24      link#5             U          vmx4
172.23.1.230       link#5             UHS         lo0
172.23.1.231       link#5             UHS         lo0
172.24.119.0/24    172.23.1.108       UGS        vmx4
172.25.0.0/20      link#1             U          vmx0
172.25.0.230       link#1             UHS         lo0
172.25.0.231       link#1             UHS         lo0
192.168.0.0/16     172.23.1.254       UGS        vmx4
192.168.175.0/24   172.23.1.108       UGS        vmx4
194.55.40.0/24     172.23.1.108       UGS        vmx4
194.55.42.0/24     172.23.1.108       UGS        vmx4
194.55.43.0/24     172.23.1.108       UGS        vmx4
194.55.48.0/24     172.23.1.108       UGS        vmx4
194.55.49.0/24     172.23.1.108       UGS        vmx4
194.55.100.0/24    172.23.1.108       UGS        vmx4

can there be some icmp redirect poisoning or some other explanation for this?

Thanks for your ideas!
Print
Go Up Pages1
User actions