OPNsense 17.7 Static routes not working (for backwards traffic)

Started by cr4wen, August 29, 2017, 12:32:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 29, 2017, 12:32:46 PM
Hello,
I have OPNsense installed on physical box (box A). On same subnet as default GW I have another router (Linux box - box B). Each box have static routes for ohter box. When I ping from network behind box A to network behind box B it works, packer returns back. But when I try ping from network behind box B to network behind box A, packet goes back to default GW (I can see packet on WAN and confirmed from ISP) not via static route I added for Box B.

Can you help me fix it, please?

Best regards,
cr4wen
August 29, 2017, 01:06:20 PM #1
Can you give us the subnets and netmasks for the networks involved?
August 29, 2017, 01:11:54 PM #2
Sure

Box A
inner subnet 192.168.151.0/24
WAN IP 10.5.7.10/24
Default GW (ISP) 10.5.7.1

Box B
inner subnet 192.168.152.0/24
WAN IP 10.5.7.13/24
Default GW (ISP) 10.5.7.1

Thank you,
cr4wen
August 29, 2017, 01:22:13 PM #3
Looks good so far.

Any chance that ICMP is blocked somewhere, so that box B thinks box A is unreachable or something? Does OPNsense show box A as "up" under System -> Gateways -> Status? (You may have to enable gateway monitoring first)
August 29, 2017, 01:37:59 PM #4 Last Edit: August 29, 2017, 03:10:37 PM by cr4wen
Destinations are pingable so I think there is no problem witch block icmp (filter log show action pass when I grep these subnets/IPs). All GWs (default and box B) status is Online.  Monitoring wasn't enabled for box B GW, but still it was Online (that GW is pingable).

cr4wen
August 29, 2017, 01:44:45 PM #5
Grasping at straws now :)
Do the packets from B to A (sorry, had them reversed before) have the correct source address? Or does box B maybe NAT them before sending them to box A?
August 29, 2017, 01:52:44 PM #6 Last Edit: August 29, 2017, 03:10:46 PM by cr4wen
There is no NAT rule between these subnets (there is NAT rule saying NO NAT between these subnets - I tried it even with disabled all NAT rules, but no change). I can see on Box A on WAN that packet income, on internal interface I can see that reach destination because on internal interface I can see reply. That reply I can see on WAN but that reply does not reach box b. It goes to default GW which I have confirmed from ISP. But it should go back to box B because of static route..... But it is not happen...

I tried to change GW in firewall rules but without any change (i was sometimes worse - it is not income into internal interface). So in rules I have GW * (default).


cr4wen
August 30, 2017, 04:40:42 PM #7
I established VPN between box A and B as temporary workaround. But I think this behaviour (ignoring static route for backwards traffic) is bug.
Print
Go Up Pages1
User actions