"Far Gateway" question

Started by Ted, September 18, 2023, 08:30:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 18, 2023, 08:30:45 PM
Greetings,
I'm running OPNsense 23.7.3-amd64; FreeBSD 13.2-RELEASE-p2; OpenSSL 1.1.1v 1 Aug 2023.

I have a static IPv4 subnet from my broadband cable ISP. OPNsense WAN address is x.y.z.249; ISP equipment address is x.y.z.254; mask is /29. Creating the interface and gateway work fine. I can access the Internet with no problem. When I go to System | Gateways | Single (to enable interface monitoring and add an IP to monitor), I cannot save until I check "Far Gateway". This doesn't seem to cause any problem, but I don't understand why I'm forced to use the option.

I'm curious as to why the software behaves this way.
Thanks
September 18, 2023, 09:16:11 PM #1
Hi Ted,

I tried this over here and can't reproduce this. At least not with a static setup using the netmask and IPs you gave. I checked with a network calculator and .254 is usable within the /29 so that can't be it.

What am I missing? And what's the exact error you are seeing?


Cheers,
Franco
September 20, 2023, 06:02:40 PM #2
Hi Franco,
Just updated to: OPNsense 23.7.4-amd64; FreeBSD 13.2-RELEASE-p3; OpenSSL 1.1.1v 1 Aug 2023.
Double checked the Interface settings; static IPv4 address is specified as x.y.z.249/29.

The error message is:
The following input errors were detected:
The gateway address "x.y.z.254" does not lie within one of the chosen interface's IPv4 subnets.

I'm reluctant to post the full public address, but could send it privately, if that would help.
I have a somewhat complex setup, with multiple WAN circuits from multiple ISPs, multiple VLANs, multiple VPNs, etc. I do know that simply setting up a single WAN / single LAN configuration with this particular ISP and address does not exhibit the Far Gateway behavior that I am seeing.

Thanks,
Ted
September 20, 2023, 09:33:56 PM #3
Hi Ted,

Ok. I'm still guessing that the resulting address is not on the correct interface so let's check that theory first:

In the gateway settings you see the selected interface. Then go to Interfaces: [the gateway interface] and check the device name.

Now go to the console and:

# ifconfig <device name>

Send me the output via PM or mail: franco AT opnsense DOT org


Thanks,
Franco
September 28, 2023, 09:08:33 PM #4
Hi Franco,

I've gathered the information you requested, and sent it along.

Thanks,
Ted
September 28, 2023, 09:33:15 PM #5
Hi Ted,

Answered via mail but to share the gist for others:

IPs of the /29 block were all configured as /32 so they do only contain their own IP address and thus cannot reach the provided gateway at the end of that /29 block.

The simplest solution is to make the static IPv6 a /29 and all the VIPs too. In that case far gateway setting can be removed. But from an operational point of view both /32+far or /29 with gateway IP contained are fine.


Cheers,
Franco
Print
Go Up Pages1
User actions