Where dos this 'route-to' rule come from?

[GaardenZwerch]

Hi,

I have a weird behavior that looks a lot like what is described here:
https://forum.opnsense.org/index.php?topic=18238.0
but the solution does not apply.
I have a Firewall (in fact a CARP Cluster) that has its default gw on the internet, and is also connected on an internal network to several other gateways.

I have the following behavior, where traffic doesn't follow the routing table, but is directed to one specific gateway on the internal network, because of the following rules:

Code: [Select]

pass out log route-to (ix1 192.168.0.232) inet from 192.168.0.243 to ! (ix1:network) flags S/SA keep state allow-opts label "f21c75990b75b3a6112de8b7141f1e03"
pass out log route-to (ix1 192.168.0.232) inet from 192.168.0.242 to ! (ix1:network) flags S/SA keep state allow-opts label "f21c75990b75b3a6112de8b7141f1e03"
this overrides what

Code: [Select]

root@TC-master:~ # route show 172.27.5.3
   route to: 172.27.5.3
destination: 172.27.5.3
       mask: 255.255.255.255
    gateway: 192.168.0.252
suggests, which I understand.

However, I don't understand why these rules are generated, as the interface definition of ix1 does NOT have a gateway, it is on 'Auto-detect'.
Both gateways are defined in system/gateway/single, and I have defined static routes that use them. The output of netstat is coherent with what I have defined in the GUI.

Code: [Select]

root@TC-master:~ # netstat -nr4l | grep "default\|^172"
default            1.2.3.4      UGS    155677065   1500        ix0
172.16.0.0/12      192.168.0.252      UGS     4229777   1500        ix1
172.27.6.0/28      192.168.0.232      UGS           0   1500        ix1
172.27.6.16/28     192.168.0.232      UGS       39579   1500        ix1
I have tried adding a /32 route just for testing purposes, but of course the pf 'route-to' rule has precedence.
I have looked in the config.xml file for the occurrences of the IP  192.168.0.232 and looked if the object is referenced somewhere else, but it is not. The IP occurs once, for the definition of the gateway, and is used exactly twice, giving the two wanted static routes.

So, what causes the two 'route-to' rules? Can I use the generated label to further look for this?
Thanks a lot for any hints,
Frank

[GaardenZwerch]

Hi again,
I have reproduced this now in the LAB.

there will be a 'route-to' rule generated for the last gateway added on that network, even though the interface definition has
"IPv4 Upstream Gateway: Autodetect"

Ticking "Firewall/Settings/Advanced/Disable force gateway" makes the "route-to" rules go away.
Is this expected behavior? My understanding was that these rules are only created if the interface definition has a gateway.

Thanks
Frank

[naltalef]

Hi Frank.
I would be grateful if you can tell me if you were able to move forward with this problem.

I'm exactly at the same point as you.
I need to setup several static routes in the LAN with different GW.

With disable-force-gateway checked, no pass-out rule with route-to are added, even in the WAN, and I don't know if it could be a problem.

Many thanks in advance
Norberto