next »

[0tt0]

I need to have a few commands run after the tunnel is started.

How do I do this most easily, I guess it's easy to do.
I looked in a few of the files in /var/etc/ like the .conf and it mentions rc.filter_configure but I'm somewhat unsure how this is best done.

So basically what I need to do is remove the 0.0.0.0/1 and 128.0.0.0/1 routes from the routing table.

What I do now is issuing commands route del 0.0.0.0/1 and route del 128.0.0.0/1 manually and reset states.

The problem is that if and when the tunnel is restarted, like if the box gets rebooted from a temp power failure those route entries sucks all traffic in the tunnel and hence disables policy routing.

So basically I need to put those two commands in a script and have that script run after the tunnel is up.

[geyser]

Is this so you can then do policy based routing after the OpenVPN link is up?

[GruensFroeschli]

Why are you telling the openVPN to even add these routes?
I assume you've set the "redirect def1" option.
Just disable this and those routes wont be added.

[geyser]

I think 0tt0 is connecting to StrongVPN, same as what I am trying to do.  Even if you don't specify redirect-gateway def1; it still puts in those routes.  I think it is being sent down by the remote server.

[GruensFroeschli]

The redirect def1 is a server option.

But even if you have these routes in place.
They only affect traffic if you're using the "default" gateway on a firewall rule.
Policy routing forces traffic directly to an interface/gateway and bypasses the routing table.

Could you show a screenshot of the rules you think are not working with these routes in place?



Even another alternative would be, that you add on top of these rules another 4 rules (0.0.0.0/2, 64.0.0.0/2, 128.0.0.0/2, 192.0.0.0/2)

[0tt0]

I think 0tt0 is connecting to StrongVPN, same as what I am trying to do.  Even if you don't specify redirect-gateway def1; it still puts in those routes.  I think it is being sent down by the remote server.

This is exactly correct yes.

[cmb]

If you specify:

Code:

route-nopull

in your custom options it should prevent that route from being pulled. Someone else is doing that with StrongVPN.

[0tt0]

If you specify:

Code:

route-nopull

in your custom options it should prevent that route from being pulled. Someone else is doing that with StrongVPN.

Thanks for the info, don't think I've seen that one before.

[0tt0]

If you specify:

Code:

route-nopull

in your custom options it should prevent that route from being pulled. Someone else is doing that with StrongVPN.

It seems this only works in OpenVPN 2.1.x or later so it shouldn't work in pfs 1.2.3-R then I guess.

[m4rcu5]

I think its replaced by "route-noexec". This worked for me until last week i upgraded to RC3.
Now pfSense wont see my OpenVPN gateway anymore.

[0tt0]

I think its replaced by "route-noexec". This worked for me until last week i upgraded to RC3.
Now pfSense wont see my OpenVPN gateway anymore.

Thanks for the info, I'll check it up.

[jimp]

Upgrade to a recent snapshot if you aren't seeing an OpenVPN dynamic gateway (or if you see it but it's always "gathering data"). There were some bug fixes a week or so ago, after the official RC3.