On Tue, Aug 18, 2009 at 6:44 PM, Ian Levesque<i...@crystal.harvard.edu> wrote:
> Hello,
>
> I've got a WAN rule that allows traffic from a specific subnet in our
> university's private network direct access to our LAN. We're basically
> bridging two LANs across a WAN interface. The generated rule looks like
> this, where 1.2.3.4 is our default gateway:
>
> pass in log quick on $wan reply-to (em2 1.2.3.4) proto { tcp udp } from {
> 10.11.143.0/24 } to { 10.0.8.0/23 } keep state label "USER_RULE: Outside
> LAN"
>
> The problem we have is that we're using a static route to access the gateway
> to this "outside LAN", let's say that's "1.2.3.5". What we need is for
> traffic that comes in from 1.2.3.5 for our LAN to go back out to 1.2.3.5,
> not to the default route. We do have the static route defined:
>
> default 1.2.3.4 UGS 0 5766491 em2
> <snip>
> 10.11.143.0/24 1.2.3.5 UGS 0 384 em2
>
> From the rule editing page, it appears that a gateway can be defined, but
> I'm only given the option of using "default" or my default route (1.2.3.4).
> The description below says "Leave as 'default' to use the system routing
> table", but with the way the rules are generated by pfSense, all of our WAN
> traffic is sent back out the default gateway instead of the more precise
> match.
>
> I understand that the solution to this is to change the above generated rule
> to use "reply-to (em2 1.2.3.5)" or to omit the reply-to altogether. Is there
> any way to accommodate this rather obscure use-case in pfSense? Can we add
> additional routes to the "Gateway" drop-down?
>
What you're seeing is this:
http://redmine.pfsense.org/issues/show/14
Gateway is for route-to, there is no way to specify reply-to, as
that's handled automatically. 1.2.3 does have a checkbox under System
-> Advanced to disable adding reply-to entirely, which is a solution
as long as you aren't using multi-WAN (you can just comment out the
reply-to line in /etc/inc/filter.inc too). We don't have a solution
for multi-WAN cases combined with WAN static routes to something other
than your gateway on that interface at this time. Either the static
route won't work for traffic initiated from that router, or you
disable reply-to and break reply routing for multi-WAN.
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
