pfSense Support Subscription

Author Topic: Routing problem on Multi WAN configuration  (Read 4442 times)

0 Members and 1 Guest are viewing this topic.

Offline wdavid

  • Newbie
  • *
  • Posts: 4
    • View Profile
Routing problem on Multi WAN configuration
« on: October 12, 2009, 03:14:27 pm »
I have a very strange problem with my firewall 1.2.3-RC3 built on Sun Oct 11 03:50:54 UTC 2009
In general I can say that IP addresses that end with the number between 224 and 239 are always "routed" through WAN.
I have a multi wan configuration where the WAN interface is my backup connection and the OPT1 is the main where I have 64 IP addresses NAT-ed to local servers (with CARP and Load balancing/failover)
I have many LAN rules but in general all traffic is routed through a FailOver interface where the OPT1 has priority.
But now when Iím trying to make tarceroute from any computer in the LAN to an IP that ends with 224-239 the route is always through the WAN interface. This makes impossible to access my server from outside for some clients.

Let me repeat, the pattern of the IP is X.X.X.224 - X.X.X.239 where X can be almost anything.

Will try to go back to a previous build, and see how it works. If someone know a stable build pleas drop me a line.

Update 10/13/09 - I've tried to upgrade the firmware to the oldest, the newest and other random builds from http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2 and NONE of them are working correctly. Went back to 1.2.3-RC1 and now it's OK. Next step I will try to reproduce this behavior in a simplified virtual environment.

David.
« Last Edit: October 13, 2009, 04:08:13 am by wdavid »

Offline wdavid

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: Routing problem on Multi WAN configuration
« Reply #1 on: October 13, 2009, 04:04:19 am »
Iíve tried to reproduce the problem on a fresh virtual environment and I had the same behavior. I think this is a major issue that needs to be fixed ASAP.
Here is the configuration:

pfSense  1.2.3-RC3 built on Tue Oct 13 03:53:26 UTC 2009

LAN interface (de0)    
IP address   192.168.1.1      
Subnet mask   255.255.255.0    

WAN interface (de1)
IP address   10.1.1.223  
Subnet mask   255.255.0.0
Gateway   10.1.2.1

OPT1 interface (de2)                   
IP address   10.0.0.201                     
Subnet mask   255.255.255.0                   
Gateway   10.0.0.1                   

All the rules and NAT settings of the firewall are the default of the initial setup wizard, except the rule on the LAN where Iím telling that everything from the LAN to be routed through 10.0.0.1 (OPT1 and NOT WAN).


Not so important but both WAN and OPT1 networks are connected to the internet through 2 separate external firewalls.

Client configuration Ė Windows XP
LAN adapter
IP 192.168.1.100
Subnet mask 255.255.255.0
Gateway 192.168.1.1

Some traceroute examples form the client computer: (explains everything)

C:\>tracert 1.1.1.223

Tracing route to 1.1.1.223 over a maximum of 30 hops

  1     2 ms     1 ms     1 ms  10.0.0.1
  2    20 ms    19 ms    19 ms  222.145.225.175
^C  
C:\>tracert 1.1.1.224

Tracing route to 1.1.1.224 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2    16 ms    19 ms    19 ms  85.139.62.193
^C  
C:\>tracert 1.1.1.239

Tracing route to 1.1.1.239 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2    17 ms    19 ms    19 ms  85.139.62.193
^C
C:\>tracert 1.1.1.240

Tracing route to 1.1.1.240 over a maximum of 30 hops

  1     2 ms     1 ms     1 ms  10.0.0.1
  2    29 ms    17 ms    19 ms  222.145.225.175
^C  
C:\>tracert 54.54.54.223

Tracing route to 54.54.54.223 over a maximum of 30 hops

  1     2 ms     1 ms     1 ms  10.0.0.1
  2     *       29 ms    19 ms  222.145.225.175
^C
C:\>tracert 54.54.54.224

Tracing route to 54.54.54.224 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2    14 ms    19 ms    20 ms  85.139.62.193
^C
C:\>tracert 154.154.154.223

Tracing route to 154.154.154.223 over a maximum of 30 hops

  1     2 ms     1 ms     1 ms  10.0.0.1
^C
C:\>tracert 154.154.154.224

Tracing route to 154.154.154.224 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
^C
C:\>tracert 154.154.154.240

Tracing route to 154.154.154.240 over a maximum of 30 hops

  1     2 ms     1 ms     1 ms  10.0.0.1
^C

Conclusion: If the IP address ends with a number between 224 and 240, the LAN rule to route the packet through OPT1 interface is ignored.


Offline dotdash

  • Hero Member
  • *****
  • Posts: 1280
    • View Profile
Re: Routing problem on Multi WAN configuration
« Reply #2 on: October 13, 2009, 12:20:20 pm »
Thanks for reporting this. I thought I had lost my mind. I was doing some tests with 1.2.3RC3 running dual-wan and CP with per-user bandwidth. It was going surprisingly well until I encountered this.
I didn't see an issue filed for this, so I took the liberty of putting one in. (Bug 111)

Offline geewhz01

  • Jr. Member
  • **
  • Posts: 64
    • View Profile
Re: Routing problem on Multi WAN configuration
« Reply #3 on: October 13, 2009, 03:39:33 pm »
I'm having the same issue with .224-.240 addresses on my wan.  What's even more strange is it seems to route for me as long as the connecting ip isn't also in the .224-.240 range.

Andy

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6287
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Routing problem on Multi WAN configuration
« Reply #4 on: October 13, 2009, 09:23:20 pm »
Confirmed issue, looks like our patch to bypass route-to for multicast traffic has the bits flipped (last octet rather than first). We're looking at a solution.

Offline althornin

  • Jr. Member
  • **
  • Posts: 57
    • View Profile
Re: Routing problem on Multi WAN configuration
« Reply #5 on: October 14, 2009, 01:34:18 pm »
I just got bit by this also.
I could not figure out why sometimes, while using VZaccess (cellular broadband), I was unable to connect to anything on my network.
I'm basically in the same boat as the OP - my OPT1 (WAN2) interface has much more bandwidth, and is the primary route on a failover loadbalancer pool.

I'm in the process of replacing some linksys vpn routers with pfsense, and this is the last barrier in my way right now.

Thanks for the prompt attention on this issue. 

Offline althornin

  • Jr. Member
  • **
  • Posts: 57
    • View Profile
Re: Routing problem on Multi WAN configuration
« Reply #6 on: October 15, 2009, 12:32:03 pm »
Just tested this in todays 2GB snapshot, and it works.
Looks like this issue has been resolved.  Thanks for the quick action guys!
Beyond the tracert testing which shows it is fixed, I went to the further step of playing with a laptop with vzaccess until is managed to get an IP ending in .235
That client is still able to correctly connect to the servers - so everything is working.
« Last Edit: October 15, 2009, 12:34:45 pm by althornin »

Offline wdavid

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: Routing problem on Multi WAN configuration
« Reply #7 on: October 19, 2009, 07:51:13 am »
I'm running with version 1.2.3-RC3 built on Sat Oct 17 21:42:17 UTC 2009 and everything seems fine now. Thank you quys for the fast answers and fix.

David.