Discussion:
[pfSense] routing between subnets at same Interface - configuration not working on 2.4.1
Fabian Bosch
2018-01-30 08:57:19 UTC
Permalink
Hello,

I cannot switch from Version 2.3.3 to 2.4.1 because of the routing at
the same interface.
I transfered the backup.xml from machine A (2.3.3) to machine B (2.4.1)
and everything worked fine but the routing between Subnets assigned at
LAN-Interface.
There are multiple subnets set up via VirtualIPs and there are static
routes to each of the subnets via the native LAN-Gateway Adress e.g
route 192.168.110.0/24 via GW_LAN(192.168.100.1) and assigned VirtualIP
in this case 192.168.110.1
Since this configuration runs well on 2.3.3 I wanted to ask whether
there are major changes in default handling of traffic at the same
interface. In 2.3.3 you don't need firewall-rules to allow traffic
between subnets at the same interface - did this change in 2.4.1?

Thanks!

Fabian
Jason Hellenthal
2018-01-30 15:37:52 UTC
Permalink
Have you tried 2.4.2 ?
--
The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
Post by Fabian Bosch
Hello,
I cannot switch from Version 2.3.3 to 2.4.1 because of the routing at the same interface.
I transfered the backup.xml from machine A (2.3.3) to machine B (2.4.1) and everything worked fine but the routing between Subnets assigned at LAN-Interface.
There are multiple subnets set up via VirtualIPs and there are static routes to each of the subnets via the native LAN-Gateway Adress e.g route 192.168.110.0/24 via GW_LAN(192.168.100.1) and assigned VirtualIP in this case 192.168.110.1
Since this configuration runs well on 2.3.3 I wanted to ask whether there are major changes in default handling of traffic at the same interface. In 2.3.3 you don't need firewall-rules to allow traffic between subnets at the same interface - did this change in 2.4.1?
Thanks!
Fabian
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
PiBa
2018-01-30 18:29:56 UTC
Permalink
Hi Fabian,

Have you set?:
System/Advanced/Firewall & NAT: "Static route filtering, Bypass firewall
rules for traffic on the same interface"

As for your 'static routes', i'm not sure what purpose they serve..
Routing between subnets known on a pfSense interface is 'automatic'.

Regards,
PiBa-NL
Post by Fabian Bosch
Hello,
I cannot switch from Version 2.3.3 to 2.4.1 because of the routing at
the same interface.
I transfered the backup.xml from machine A (2.3.3) to machine B
(2.4.1) and everything worked fine but the routing between Subnets
assigned at LAN-Interface.
There are multiple subnets set up via VirtualIPs and there are static
routes to each of the subnets via the native LAN-Gateway Adress e.g
route 192.168.110.0/24 via GW_LAN(192.168.100.1) and assigned
VirtualIP in this case 192.168.110.1
Since this configuration runs well on 2.3.3 I wanted to ask whether
there are major changes in default handling of traffic at the same
interface. In 2.3.3 you don't need firewall-rules to allow traffic
between subnets at the same interface - did this change in 2.4.1?
Thanks!
Fabian
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Fabian Bosch
2018-01-31 08:12:10 UTC
Permalink
Hi,

Yes I cecked the Bypass firewall checkbox.
There it says
"This option only applies if one or more static routes have been
defined. If it is enabled, traffic that enters and leaves through the
same interface will not be checked by the firewall. This may be
desirable in some situations where multiple subnets are connected to the
same interface."

Because of that I set up my static routes for this Interface.
Meanwhile I updated to v2.4.2_1 - have to test it again.

Are there any other ideas of possible differences in automatic routing
between v2.3.x and v.2.4.x since there is also a change of underlying
FreeBSD-Version.

cheers!

Fabian
Post by PiBa
Hi Fabian,
System/Advanced/Firewall & NAT: "Static route filtering, Bypass
firewall rules for traffic on the same interface"
As for your 'static routes', i'm not sure what purpose they serve..
Routing between subnets known on a pfSense interface is 'automatic'.
Regards,
PiBa-NL
Post by Fabian Bosch
Hello,
I cannot switch from Version 2.3.3 to 2.4.1 because of the routing at
the same interface.
I transfered the backup.xml from machine A (2.3.3) to machine B
(2.4.1) and everything worked fine but the routing between Subnets
assigned at LAN-Interface.
There are multiple subnets set up via VirtualIPs and there are static
routes to each of the subnets via the native LAN-Gateway Adress e.g
route 192.168.110.0/24 via GW_LAN(192.168.100.1) and assigned
VirtualIP in this case 192.168.110.1
Since this configuration runs well on 2.3.3 I wanted to ask whether
there are major changes in default handling of traffic at the same
interface. In 2.3.3 you don't need firewall-rules to allow traffic
between subnets at the same interface - did this change in 2.4.1?
Thanks!
Fabian
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
--
--
Fabian Bosch, Solutions-Engineer

DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany

phone: +49 7071 407109-0
fax: +49 7071 407109-9

email: ***@daasi.de
web: www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz
Fabian Bosch
2018-05-14 07:02:30 UTC
Permalink
Hi,

I spent hours in this to get this running under version 2.4.3.
It's still the case that I get some kind of routing-loop at LAN
interface if I want to route between subnets which leads to lost
ping-echo requests or the disability to interconnect between subnets.

Even the ARP-table is showing the proper mappings for virtualPs of LAN
Interface, only the packages got lost.

I cannot imagine the problem anymore whether it resides in the
configuration or it is simply a hardware-issue.
I need help from you guys so I attached the minimalized configuration
backup file and I am thankful for everyone to take a look at it and test
this out.
Password is reset to default 'pfsense' and WAN-gateways and WAN
Interfaces should/could be reconfigured.

cheers

Fabian
Post by Fabian Bosch
Hi,
Yes I cecked the Bypass firewall checkbox.
There it says
"This option only applies if one or more static routes have been
defined. If it is enabled, traffic that enters and leaves through the
same interface will not be checked by the firewall. This may be
desirable in some situations where multiple subnets are connected to
the same interface."
Because of that I set up my static routes for this Interface.
Meanwhile I updated to v2.4.2_1 - have to test it again.
Are there any other ideas of possible differences in automatic routing
between v2.3.x and v.2.4.x since there is also a change of underlying
FreeBSD-Version.
cheers!
Fabian
Post by PiBa
Hi Fabian,
System/Advanced/Firewall & NAT: "Static route filtering, Bypass
firewall rules for traffic on the same interface"
As for your 'static routes', i'm not sure what purpose they serve..
Routing between subnets known on a pfSense interface is 'automatic'.
Regards,
PiBa-NL
Post by Fabian Bosch
Hello,
I cannot switch from Version 2.3.3 to 2.4.1 because of the routing
at the same interface.
I transfered the backup.xml from machine A (2.3.3) to machine B
(2.4.1) and everything worked fine but the routing between Subnets
assigned at LAN-Interface.
There are multiple subnets set up via VirtualIPs and there are
static routes to each of the subnets via the native LAN-Gateway
Adress e.g route 192.168.110.0/24 via GW_LAN(192.168.100.1) and
assigned VirtualIP in this case 192.168.110.1
Since this configuration runs well on 2.3.3 I wanted to ask whether
there are major changes in default handling of traffic at the same
interface. In 2.3.3 you don't need firewall-rules to allow traffic
between subnets at the same interface - did this change in 2.4.1?
Thanks!
Fabian
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Fabian Bosch
2018-05-14 08:39:43 UTC
Permalink
Hi - Attachements not working so here is the XML Plaintext:


<?xml version="1.0"?>
<pfsense>
    <version>17.9</version>
    <lastchange></lastchange>
    <system>
        <optimization>normal</optimization>
        <hostname>pfSenseOne</hostname>
        <domain>xy.zz</domain>
        <group>
            <name>all</name>
            <description><![CDATA[All Users]]></description>
            <scope>system</scope>
            <gid>1998</gid>
        </group>
        <group>
            <name>admins</name>
            <description><![CDATA[System Administrators]]></description>
            <scope>system</scope>
            <gid>1999</gid>
            <member>0</member>
            <priv>page-all</priv>
        </group>
        <user>
            <name>admin</name>
            <descr><![CDATA[System Administrator]]></descr>
            <scope>system</scope>
            <groupname>admins</groupname>
<bcrypt-hash>$2b$10$C8yZ8UYAa1OHML2Ij/yBZeU4vOD1TLJe5LVsDniaqmNS.VpRghPUe</bcrypt-hash>
            <uid>0</uid>
            <priv>user-shell-access</priv>
            <expires></expires>
            <dashboardcolumns>2</dashboardcolumns>
            <authorizedkeys></authorizedkeys>
            <ipsecpsk></ipsecpsk>
            <webguicss>pfSense.css</webguicss>
        </user>
        <nextuid>2000</nextuid>
        <nextgid>2000</nextgid>
<timeservers>0.pfsense.pool.ntp.org</timeservers>
        <webgui>
            <protocol>https</protocol>
<loginautocomplete></loginautocomplete>
<ssl-certref>5af55220d03bc</ssl-certref>
            <port></port>
            <max_procs>2</max_procs>
            <dashboardcolumns>2</dashboardcolumns>
            <webguicss>pfSense.css</webguicss>
            <logincss>1e3f75;</logincss>
        </webgui>
<disablesegmentationoffloading></disablesegmentationoffloading>
<disablelargereceiveoffloading></disablelargereceiveoffloading>
        <powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
        <bogons>
            <interval>weekly</interval>
        </bogons>
        <timezone>Europe/Amsterdam</timezone>
        <serialspeed>115200</serialspeed>
        <primaryconsole>serial</primaryconsole>
        <enablesshd>enabled</enablesshd>
        <maximumstates></maximumstates>
<aliasesresolveinterval></aliasesresolveinterval>
<maximumtableentries>5000000</maximumtableentries>
        <maximumfrags></maximumfrags>
        <reflectiontimeout></reflectiontimeout>
        <language>en_US</language>
<enablenatreflectionpurenat>yes</enablenatreflectionpurenat>
<enablebinatreflection>yes</enablebinatreflection>
<enablenatreflectionhelper>yes</enablenatreflectionhelper>
        <dnsserver>1.1.1.1</dnsserver>
    </system>
    <interfaces>
        <wan>
            <enable></enable>
            <if>em0</if>
            <blockpriv></blockpriv>
            <blockbogons></blockbogons>
            <descr><![CDATA[WAN]]></descr>
            <spoofmac></spoofmac>
            <ipaddr>1.1.1.254</ipaddr>
            <subnet>28</subnet>
            <ipaddrv6>dhcp6</ipaddrv6>
            <dhcp6-duid></dhcp6-duid>
            <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
            <dhcp6cvpt>bk</dhcp6cvpt>
<adv_dhcp6_prefix_selected_interface>wan</adv_dhcp6_prefix_selected_interface>
        </wan>
        <lan>
            <enable></enable>
            <if>em1</if>
            <descr><![CDATA[LAN]]></descr>
            <spoofmac></spoofmac>
            <ipaddr>192.168.100.1</ipaddr>
            <subnet>24</subnet>
        </lan>
        <opt1>
            <if>em2</if>
            <descr><![CDATA[WAN2]]></descr>
            <spoofmac></spoofmac>
            <enable></enable>
            <blockpriv></blockpriv>
            <ipaddr>1.1.2.250</ipaddr>
            <subnet>28</subnet>
        </opt1>
        <opt2>
            <if>em3</if>
<descr><![CDATA[PublicWIFI]]></descr>
            <ipaddr>192.168.99.1</ipaddr>
            <subnet>32</subnet>
            <gateway>PublicWiFi_GW</gateway>
            <spoofmac></spoofmac>
        </opt2>
    </interfaces>
    <staticroutes>
        <route>
            <network>192.168.111.0/24</network>
            <gateway>GW_LAN</gateway>
            <descr><![CDATA[Test-Netzwerk (ANU)]]></descr>
        </route>
        <route>
            <network>192.168.210.0/24</network>
            <gateway>GW_LAN</gateway>
            <descr><![CDATA[Aditi Adressraum]]></descr>
        </route>
        <route>
            <network>192.168.114.0/24</network>
            <gateway>GW_LAN</gateway>
            <descr><![CDATA[Anu Projektnetzwerk]]></descr>
        </route>
        <route>
            <network>192.168.110.0/24</network>
            <gateway>GW_LAN</gateway>
            <descr><![CDATA[Anu Projektmaschinen]]></descr>
        </route>
    </staticroutes>
    <dhcpd>
        <lan>
            <enable></enable>
            <range>
                <from>192.168.100.200</from>
                <to>192.168.100.254</to>
            </range>
        </lan>
    </dhcpd>
    <dhcpdv6>
        <lan>
            <range>
                <from>::1000</from>
                <to>::2000</to>
            </range>
            <ramode>assist</ramode>
            <rapriority>medium</rapriority>
        </lan>
    </dhcpdv6>
    <snmpd>
        <syslocation></syslocation>
        <syscontact></syscontact>
        <rocommunity>public</rocommunity>
    </snmpd>
    <diag>
        <ipv6nat></ipv6nat>
    </diag>
    <syslog>
        <filterdescriptions>1</filterdescriptions>
        <filter_settings>
            <cronorder>reverse</cronorder>
        </filter_settings>
    </syslog>
    <nat>
        <outbound>
            <mode>automatic</mode>
        </outbound>
    </nat>
    <filter>
        <rule>
            <type>pass</type>
            <ipprotocol>inet</ipprotocol>
            <descr><![CDATA[Default allow LAN to any rule]]></descr>
            <interface>lan</interface>
            <tracker>0100000101</tracker>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any></any>
            </destination>
        </rule>
        <rule>
            <type>pass</type>
            <ipprotocol>inet6</ipprotocol>
            <descr><![CDATA[Default allow LAN IPv6 to any rule]]></descr>
            <interface>lan</interface>
            <tracker>0100000102</tracker>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any></any>
            </destination>
        </rule>
        <rule>
            <id></id>
            <tracker>1526032752</tracker>
            <type>pass</type>
            <interface>lan</interface>
            <ipprotocol>inet</ipprotocol>
            <tag></tag>
            <tagged></tagged>
            <max></max>
            <max-src-nodes></max-src-nodes>
            <max-src-conn></max-src-conn>
            <max-src-states></max-src-states>
            <statetimeout></statetimeout>
            <statetype><![CDATA[keep state]]></statetype>
            <os></os>
            <protocol>icmp</protocol>
            <icmptype>any</icmptype>
            <source>
                <any></any>
            </source>
            <destination>
                <any></any>
            </destination>
            <log></log>
            <descr><![CDATA[Ping Everywhere]]></descr>
            <created>
                <time>1526032752</time>
<username>***@192.168.100.200</username>
            </created>
            <updated>
                <time>1526032899</time>
<username>***@192.168.100.200</username>
            </updated>
        </rule>
        <rule>
            <id></id>
            <tracker>1526031689</tracker>
            <type>pass</type>
            <interface>opt1</interface>
            <ipprotocol>inet</ipprotocol>
            <tag></tag>
            <tagged></tagged>
            <max></max>
            <max-src-nodes></max-src-nodes>
            <max-src-conn></max-src-conn>
            <max-src-states></max-src-states>
            <statetimeout></statetimeout>
            <statetype><![CDATA[keep state]]></statetype>
            <os></os>
            <protocol>udp</protocol>
            <source>
                <any></any>
            </source>
            <destination>
                <network>opt1ip</network>
                <port>1194</port>
            </destination>
            <descr><![CDATA[OpenVPN incoming]]></descr>
            <updated>
                <time>1526031689</time>
<username>***@192.168.100.200</username>
            </updated>
            <created>
                <time>1526031689</time>
<username>***@192.168.100.200</username>
            </created>
        </rule>
<bypassstaticroutes>yes</bypassstaticroutes>
        <separator>
            <opt1></opt1>
        </separator>
    </filter>
    <shaper></shaper>
    <ipsec></ipsec>
    <aliases></aliases>
    <proxyarp></proxyarp>
    <cron>
        <item>
            <minute>1,31</minute>
            <hour>0-5</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20 adjkerntz -a</command>
        </item>
        <item>
            <minute>1</minute>
            <hour>3</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>0</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh</command>
        </item>
        <item>
            <minute>*/60</minute>
            <hour>*</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v
-t 3600 sshlockout</command>
        </item>
        <item>
            <minute>*/60</minute>
            <hour>*</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v
-t 3600 webConfiguratorlockout</command>
        </item>
        <item>
            <minute>1</minute>
            <hour>1</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20 /etc/rc.dyndns.update</command>
        </item>
        <item>
            <minute>*/60</minute>
            <hour>*</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v
-t 3600 virusprot</command>
        </item>
        <item>
            <minute>30</minute>
            <hour>12</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20 /etc/rc.update_urltables</command>
        </item>
        <item>
            <minute>1</minute>
            <hour>0</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20
/etc/rc.update_pkg_metadata</command>
        </item>
    </cron>
    <wol></wol>
    <rrd>
        <enable></enable>
<category>left=system-processor&amp;right=&amp;resolution=300&amp;timePeriod=-1d&amp;startDate=&amp;endDate=&amp;startTime=0&amp;endTime=0&amp;graphtype=line&amp;invert=true&amp;refresh-interval=0</category>
    </rrd>
    <load_balancer>
        <monitor_type>
            <name>ICMP</name>
            <type>icmp</type>
            <descr><![CDATA[ICMP]]></descr>
            <options></options>
        </monitor_type>
        <monitor_type>
            <name>TCP</name>
            <type>tcp</type>
            <descr><![CDATA[Generic TCP]]></descr>
            <options></options>
        </monitor_type>
        <monitor_type>
            <name>HTTP</name>
            <type>http</type>
            <descr><![CDATA[Generic HTTP]]></descr>
            <options>
                <path>/</path>
                <host></host>
                <code>200</code>
            </options>
        </monitor_type>
        <monitor_type>
            <name>HTTPS</name>
            <type>https</type>
            <descr><![CDATA[Generic HTTPS]]></descr>
            <options>
                <path>/</path>
                <host></host>
                <code>200</code>
            </options>
        </monitor_type>
        <monitor_type>
            <name>SMTP</name>
            <type>send</type>
            <descr><![CDATA[Generic SMTP]]></descr>
            <options>
                <send></send>
                <expect>220 *</expect>
            </options>
        </monitor_type>
    </load_balancer>
    <widgets>
<sequence>system_information:col1:open:0,interfaces:col2:open:0,gateways:col2:open:0,traffic_graphs:col2:open:0</sequence>
        <period>10</period>
    </widgets>
    <openvpn></openvpn>
    <dnshaper></dnshaper>
    <unbound>
        <enable></enable>
        <dnssec></dnssec>
        <active_interface>all</active_interface>
<outgoing_interface>wan,opt1</outgoing_interface>
        <custom_options></custom_options>
        <hideidentity></hideidentity>
        <hideversion></hideversion>
        <dnssecstripped></dnssecstripped>
        <port></port>
<system_domain_local_zone_type>transparent</system_domain_local_zone_type>
    </unbound>
    <cert>
        <refid>5af55220d03bc</refid>
        <descr><![CDATA[webConfigurator default (5af55220d03bc)]]></descr>
        <type>server</type>
<crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZqekNDQkhlZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBRENCdERFTE1Ba0dBMVVFQmhNQ1ZWTXgKRGpBTUJnTlZCQWdUQlZOMFlYUmxNUkV3RHdZRFZRUUhFd2hNYjJOaGJHbDBlVEU0TURZR0ExVUVDaE12Y0daVApaVzV6WlNCM1pXSkRiMjVtYVdkMWNtRjBiM0lnVTJWc1ppMVRhV2R1WldRZ1EyVnlkR2xtYVdOaGRHVXhLREFtCkJna3Foa2lHOXcwQkNRRVdHV0ZrYldsdVFIQm1VMlZ1YzJVdWJHOWpZV3hrYjIxaGFXNHhIakFjQmdOVkJBTVQKRlhCbVUyVnVjMlV0TldGbU5UVXlNakJrTUROaVl6QWVGdzB4T0RBMU1URXdPREU1TkRWYUZ3MHlNekV4TURFdwpPREU1TkRWYU1JRzBNUXN3Q1FZRFZRUUdFd0pWVXpFT01Bd0dBMVVFQ0JNRlUzUmhkR1V4RVRBUEJnTlZCQWNUCkNFeHZZMkZzYVhSNU1UZ3dOZ1lEVlFRS0V5OXdabE5sYm5ObElIZGxZa052Ym1acFozVnlZWFJ2Y2lCVFpXeG0KTFZOcFoyNWxaQ0JEWlhKMGFXWnBZMkYwWlRFb01DWUdDU3FHU0liM0RRRUpBUllaWVdSdGFXNUFjR1pUWlc1egpaUzVzYjJOaGJHUnZiV0ZwYmpFZU1Cd0dBMVVFQXhNVmNHWlRaVzV6WlMwMVlXWTFOVEl5TUdRd00ySmpNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0QXFKRnNwN1lBSkRydGwyNUNjdURvQ2kKOGhIQ1lxN1pES2t1eFNTdUZTVVYwUnFxcHZmWUtwVHVITkpaMGxUYjV0MHBFVGI5TnYvYVlLRnJhdDRTdmJodwpQRGxvS3hBTTlFYmU3bHc2bHZhckpnTlJjVlYxQ0F3TzN0UzdYS2duMWQrYUFPbmhYZUlENDlrK2hBbGpvTkJDCmVuSzB1Z3drU1ZkZHMrZXZJSEc5a3QwcHZPYWZqZGRVY3V5ck1VWmVoakErQXl2OXVhVVZiTzVXeUFtaHNmOXYKN3QwMDY1aWNxWFBZY1hRK3dXSFAxVUliQ1hKR0NOMWlTVnVJbmd2WjVJY2taMEdhczV5WTZQOVBkYW9YK0RPTgpUSDVFYlpTOVhiWmNrYUxyaWU4bW1Yb05GYUhpVE0yQzJpaCtZWURSdWVEc1o1cEFobU8weXRJS1pmMFF1d0lECkFRQUJvNElCcURDQ0FhUXdDUVlEVlIwVEJBSXdBREFSQmdsZ2hrZ0JodmhDQVFFRUJBTUNCa0F3Q3dZRFZSMFAKQkFRREFnV2dNRE1HQ1dDR1NBR0crRUlCRFFRbUZpUlBjR1Z1VTFOTUlFZGxibVZ5WVhSbFpDQlRaWEoyWlhJZwpRMlZ5ZEdsbWFXTmhkR1V3SFFZRFZSME9CQllFRklvbGNUNTh3WksybXd1emlMdVJCVks2ZThuY01JSGhCZ05WCkhTTUVnZGt3Z2RhQUZJb2xjVDU4d1pLMm13dXppTHVSQlZLNmU4bmNvWUc2cElHM01JRzBNUXN3Q1FZRFZRUUcKRXdKVlV6RU9NQXdHQTFVRUNCTUZVM1JoZEdVeEVUQVBCZ05WQkFjVENFeHZZMkZzYVhSNU1UZ3dOZ1lEVlFRSwpFeTl3WmxObGJuTmxJSGRsWWtOdmJtWnBaM1Z5WVhSdmNpQlRaV3htTFZOcFoyNWxaQ0JEWlhKMGFXWnBZMkYwClpURW9NQ1lHQ1NxR1NJYjNEUUVKQVJZWllXUnRhVzVBY0daVFpXNXpaUzVzYjJOaGJHUnZiV0ZwYmpFZU1Cd0cKQTFVRUF4TVZjR1pUWlc1elpTMDFZV1kxTlRJeU1HUXdNMkpqZ2dFQU1CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRgpCd01CQmdnckJnRUZCUWdDQWpBZ0JnTlZIUkVFR1RBWGdoVndabE5sYm5ObExUVmhaalUxTWpJd1pEQXpZbU13CkRRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHSmtRdlh6dFh5L1RVQWk1ek9KK3JOc0dGcjZMVWlVSFVRbVNxSUsKdVB0cWNDUkpCalhiYTV1cTVIR0hLRzZsbXErR2JzSTFBUisveDdGaXZ0RGZOc1JlWHlhL0xWNVVWTnZ3cUVSRwpkUTk2LzNNS0wweWpjQWc4SUNxOWZKd2VQdTd3aHdRQTNEcENEYUtTSXJXdUFvZE5ORUNCc1h1Nk5GQ1VKWGUvCmpOZXpjZzgrNEpVSFB3dUs4NnNmTlUxNS9UNGJ5NGxJZlF5U1QrcFZ6R0VPaHlLYm1aRU5qd0FXM0NETjRrckgKQVRpejZsdWZ4MlN6UGcyYlhYbld6SUxJQlBoS3pENUkwZ0FBZE94MlVTb2l4dWthaXR3aEJPWU5ONUllNEhHYgpjaGxvM3JBRkdFSnA2NjhuV2pjTEVnc09VVitvZjMvcy9nS1NmTGlKQklKcGM0QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</crt>
<prv>LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQzBDb2tXeW50Z0FrT3UKMlhia0p5NE9nS0x5RWNKaXJ0a01xUzdGSks0VkpSWFJHcXFtOTlncWxPNGMwbG5TVk52bTNTa1JOdjAyLzlwZwpvV3RxM2hLOXVIQThPV2dyRUF6MFJ0N3VYRHFXOXFzbUExRnhWWFVJREE3ZTFMdGNxQ2ZWMzVvQTZlRmQ0Z1BqCjJUNkVDV09nMEVKNmNyUzZEQ1JKVjEyejU2OGdjYjJTM1NtODVwK04xMVJ5N0tzeFJsNkdNRDRESy8yNXBSVnMKN2xiSUNhR3gvMi91M1RUcm1KeXBjOWh4ZEQ3QlljL1ZRaHNKY2tZSTNXSkpXNGllQzlua2h5Um5RWnF6bkpqbwovMDkxcWhmNE00MU1ma1J0bEwxZHRseVJvdXVKN3lhWmVnMFZvZUpNellMYUtINWhnTkc1NE94bm1rQ0dZN1RLCjBncGwvUkM3QWdNQkFBRUNnZ0VBTzlqWXN4dkJvU3QvaGlyQmk1dStncEdlR0t0d20wOFYxVkNUdkhLeDcxTngKaWgyOEpsNXltOHovemRMYWlzRXNpL1J1UjB1cEpsUXNLanplTVJyNnpkZjJidjZDTXZaVjZBbDY1MjcvQnRtZQpFTGUvcGRYTFhrNXJ6d1NWOTNucUsvejArMkxEU0dydDhocHYzb0lrZlB0ZGJjaWRiTTdHYlI2K2hpUDRvZWErCkNQVEhkVFpIWXRNWmhITmh6SFh5K1hCeEp2ZWJOSWg5ZWZoMjUrMWJuZDNsUUtyTi9TMmVuWFVVRDRUZFFWYncKT2RYM2IwQ3lUN3I2Nmpwem5zTG1LalJqR3FFQWI4OW1kamJLYnVuY1oxYzB1RnQ3Q3phY2ZqYVZyYngrd0p6cgpWYW5laXBjWjRablp0OGoyZWZ3NlA3NzB3bklSenJNQXh1ZFMwVnlXVVFLQmdRRG5FZTJZbCs2Mk1FL015TjJ3CkpxRU5rdWhYYzBWL1dNRDQvNEhoYng5RDhYNm13RkZ4NUVrRzQ3RElHVlZYYXlTMjFXblJzUU16ajZnNXJQWDQKVFl3S1o0eWFubVY1N2NuY0lTalVqSTlTTWRvSmxKSDZzNXVrOGdOZENpV2t0SWhubjk5MmI3aWRRYm9rOS9ycwpsK2U1UXBQSXQ3TUdzS3hidTRuaUxOc3ZhUUtCZ1FESGR6VS9Ld2o5cFk3LzYyNkExTFh3WmRtbjExTzRGa1pFCnpKWHJCL0pUdjhHNHZEckR5dWNNZTNaem40V2NvYzd5YkQ5YVo5YVI5US9hVEdibnQ2Z3dRaFkrY292SXhTckQKTTRqZUdCNGhNbUlSbFlsZmxsanhFV2JzRU1QUVBUb2psLzczQUtpQTFqN1JwaDhRdjRUYmRENWN1UVl2OTI3QgpUa1JqWk9tZWd3S0JnUURrK09FR2F0ZkRkZEE5ejNYT1Roa2R5RXV3REt2N2EwbWQ5Q01SN3ZsK2JGbmloNFN0ClpWZndHY1JlSkt4cXVlTmh3Y3pnVzVZZWkrWlpjTWsweWpOUlJCY1NTSStwNlRZMGlpOVpvQWVOblpUQUZaY3EKWkx5QkVNakFjNE9sMkxlcVo4UWFLczg0RlorTmJxWVp1TldJd1M2TW9Xd24zdjZNMENQc0dpTUFzUUtCZ0FvcgpKSmJFemQrSWFpTFgwTGxXbnJQVHJXWG1EMG1LTVNqZXVTSFROT0phR3prY3QyNDEwTk9ORTd2UFBST0FHRG01CmxQMDUzL0Z1NmRENkppRFg5d1lHeUhXRWgyWER6MnRHSEVzZU5hTUJtNGhEOUUzZ0wwYVMyWWxkVFc0M1FOaUIKcmlqUGFzZXVwR014c2RHN3diMGlUdStSS3lTVTI1dVZMdDFXVHFhYkFvR0JBTEtCMTE1QzFaMExvdUtDUXpEdwpwV2JFTUhBTmVZbU91dExnLzdFRTN4QjNBbjJyK0Z4S1FIQ2FDUDQzblI3dThGSTZXdWNmakphcWlpQ1NUWjl0CnJHQVBQWUZmRjVIMGV1WFczZDhGckcwa3dsUVAxV3pRdzdZN1dISDB4Z2p4MThsdndvcEFYd29wMk16ZnpPMFoKVmNpajFkd09qbVQranJCOFdwVHArV1k3Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K</prv>
    </cert>
    <revision>
        <time>1526279936</time>
        <description><![CDATA[***@192.168.100.200:
/system_usermanager.php made unknown change]]></description>
        <username>***@192.168.100.200</username>
    </revision>
    <ntpd></ntpd>
    <dhcrelay></dhcrelay>
    <dhcrelay6></dhcrelay6>
    <wizardtemp>
        <system>
            <hostname>pfSenseOne</hostname>
            <domain>xy.zz</domain>
        </system>
        <wangateway>1.1.1.250</wangateway>
    </wizardtemp>
    <ppps></ppps>
    <gateways>
        <gateway_item>
            <interface>opt2</interface>
            <gateway>192.168.99.1</gateway>
            <name>PublicWiFi_GW</name>
            <weight></weight>
            <ipprotocol></ipprotocol>
            <descr><![CDATA[Public WiFi Gateway]]></descr>
        </gateway_item>
        <gateway_item>
            <interface>lan</interface>
            <gateway>192.168.100.1</gateway>
            <name>GW_LAN</name>
            <weight>1</weight>
            <ipprotocol>inet</ipprotocol>
            <descr><![CDATA[LAN Gateway]]></descr>
            <monitor>192.168.100.1</monitor>
        </gateway_item>
    </gateways>
    <notifications>
        <growl>
            <ipaddress></ipaddress>
            <password></password>
            <name>pfSense-Growl</name>
            <notification_name>pfSense growl alert</notification_name>
            <disable></disable>
        </growl>
        <smtp>
            <ipaddress></ipaddress>
            <port>587</port>
            <ssl></ssl>
            <timeout></timeout>
<notifyemailaddress></notifyemailaddress>
            <username>pfsense</username>
<authentication_mechanism>PLAIN</authentication_mechanism>
            <fromaddress></fromaddress>
            <password></password>
        </smtp>
    </notifications>
    <virtualip>
        <vip>
            <mode>ipalias</mode>
            <interface>lan</interface>
            <uniqid>5af55ff0656d2</uniqid>
            <descr><![CDATA[Anu Projektmaschinen]]></descr>
            <type>single</type>
            <subnet_bits>24</subnet_bits>
            <subnet>192.168.110.1</subnet>
        </vip>
        <vip>
            <mode>ipalias</mode>
            <interface>lan</interface>
            <uniqid>5af5666f562a0</uniqid>
            <descr><![CDATA[Aditi Adressraum]]></descr>
            <type>single</type>
            <subnet_bits>24</subnet_bits>
            <subnet>192.168.210.1</subnet>
        </vip>
        <vip>
            <mode>ipalias</mode>
            <interface>lan</interface>
            <uniqid>5af5668fc803f</uniqid>
            <descr><![CDATA[Anu Projektnetzwerk]]></descr>
            <type>single</type>
            <subnet_bits>24</subnet_bits>
            <subnet>192.168.114.1</subnet>
        </vip>
        <vip>
            <mode>ipalias</mode>
            <interface>lan</interface>
            <uniqid>5af5680307a0e</uniqid>
<descr><![CDATA[Test-Netzwerk]]></descr>
            <type>single</type>
            <subnet_bits>24</subnet_bits>
            <subnet>192.168.111.1</subnet>
        </vip>
    </virtualip>
</pfsense>

thank you!

Fabian
Post by Fabian Bosch
Hi,
I spent hours in this to get this running under version 2.4.3.
It's still the case that I get some kind of routing-loop at LAN
interface if I want to route between subnets which leads to lost
ping-echo requests or the disability to interconnect between subnets.
Even the ARP-table is showing the proper mappings for virtualPs of LAN
Interface, only the packages got lost.
I cannot imagine the problem anymore whether it resides in the
configuration or it is simply a hardware-issue.
I need help from you guys so I attached the minimalized configuration
backup file and I am thankful for everyone to take a look at it and
test this out.
Password is reset to default 'pfsense' and WAN-gateways and WAN
Interfaces should/could be reconfigured.
cheers
Fabian
Post by Fabian Bosch
Hi,
Yes I cecked the Bypass firewall checkbox.
There it says
"This option only applies if one or more static routes have been
defined. If it is enabled, traffic that enters and leaves through the
same interface will not be checked by the firewall. This may be
desirable in some situations where multiple subnets are connected to
the same interface."
Because of that I set up my static routes for this Interface.
Meanwhile I updated to v2.4.2_1 - have to test it again.
Are there any other ideas of possible differences in automatic
routing between v2.3.x and v.2.4.x since there is also a change of
underlying FreeBSD-Version.
cheers!
Fabian
Post by PiBa
Hi Fabian,
System/Advanced/Firewall & NAT: "Static route filtering, Bypass
firewall rules for traffic on the same interface"
As for your 'static routes', i'm not sure what purpose they serve..
Routing between subnets known on a pfSense interface is 'automatic'.
Regards,
PiBa-NL
Post by Fabian Bosch
Hello,
I cannot switch from Version 2.3.3 to 2.4.1 because of the routing
at the same interface.
I transfered the backup.xml from machine A (2.3.3) to machine B
(2.4.1) and everything worked fine but the routing between Subnets
assigned at LAN-Interface.
There are multiple subnets set up via VirtualIPs and there are
static routes to each of the subnets via the native LAN-Gateway
Adress e.g route 192.168.110.0/24 via GW_LAN(192.168.100.1) and
assigned VirtualIP in this case 192.168.110.1
Since this configuration runs well on 2.3.3 I wanted to ask whether
there are major changes in default handling of traffic at the same
interface. In 2.3.3 you don't need firewall-rules to allow traffic
between subnets at the same interface - did this change in 2.4.1?
Thanks!
Fabian
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
--
--
Fabian Bosch, Solutions-Engineer

DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany

phone: +49 7071 407109-0
fax: +49 7071 407109-9

email: ***@daasi.de
web: www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz
PiBa
2018-05-14 22:40:20 UTC
Permalink
Hi Fabian,

Why do you have those routes all pointing to the local lan-ip .?
Also the opt2 interface using a gateway pointing to the opt2-ip doesn't
make sense to me..
For the Virtual-IP's for each subnet, they are all 'local' networks and
should not need any routes to be explicitly defined either. Even though
that might be implied by the 'do not filter same interface
static-routes' firewall setting description... (That should stay enabled
though).

I think (most of) those routing / gateway related settings might cause
more harm than to something good.. i would opt to remove them and see if
things improve..

Regards,
PiBa-NL
Post by Fabian Bosch
<?xml version="1.0"?>
<pfsense>
    <version>17.9</version>
    <lastchange></lastchange>
    <system>
        <optimization>normal</optimization>
        <hostname>pfSenseOne</hostname>
        <domain>xy.zz</domain>
        <group>
            <name>all</name>
            <description><![CDATA[All Users]]></description>
            <scope>system</scope>
            <gid>1998</gid>
        </group>
        <group>
            <name>admins</name>
            <description><![CDATA[System Administrators]]></description>
            <scope>system</scope>
            <gid>1999</gid>
            <member>0</member>
            <priv>page-all</priv>
        </group>
        <user>
            <name>admin</name>
            <descr><![CDATA[System Administrator]]></descr>
            <scope>system</scope>
            <groupname>admins</groupname>
<bcrypt-hash>$2b$10$C8yZ8UYAa1OHML2Ij/yBZeU4vOD1TLJe5LVsDniaqmNS.VpRghPUe</bcrypt-hash>
            <uid>0</uid>
            <priv>user-shell-access</priv>
            <expires></expires>
            <dashboardcolumns>2</dashboardcolumns>
            <authorizedkeys></authorizedkeys>
            <ipsecpsk></ipsecpsk>
            <webguicss>pfSense.css</webguicss>
        </user>
        <nextuid>2000</nextuid>
        <nextgid>2000</nextgid>
<timeservers>0.pfsense.pool.ntp.org</timeservers>
        <webgui>
            <protocol>https</protocol>
<loginautocomplete></loginautocomplete>
<ssl-certref>5af55220d03bc</ssl-certref>
            <port></port>
            <max_procs>2</max_procs>
            <dashboardcolumns>2</dashboardcolumns>
            <webguicss>pfSense.css</webguicss>
            <logincss>1e3f75;</logincss>
        </webgui>
<disablesegmentationoffloading></disablesegmentationoffloading>
<disablelargereceiveoffloading></disablelargereceiveoffloading>
        <powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
        <bogons>
            <interval>weekly</interval>
        </bogons>
        <timezone>Europe/Amsterdam</timezone>
        <serialspeed>115200</serialspeed>
        <primaryconsole>serial</primaryconsole>
        <enablesshd>enabled</enablesshd>
        <maximumstates></maximumstates>
<aliasesresolveinterval></aliasesresolveinterval>
<maximumtableentries>5000000</maximumtableentries>
        <maximumfrags></maximumfrags>
        <reflectiontimeout></reflectiontimeout>
        <language>en_US</language>
<enablenatreflectionpurenat>yes</enablenatreflectionpurenat>
<enablebinatreflection>yes</enablebinatreflection>
<enablenatreflectionhelper>yes</enablenatreflectionhelper>
        <dnsserver>1.1.1.1</dnsserver>
    </system>
    <interfaces>
        <wan>
            <enable></enable>
            <if>em0</if>
            <blockpriv></blockpriv>
            <blockbogons></blockbogons>
            <descr><![CDATA[WAN]]></descr>
            <spoofmac></spoofmac>
            <ipaddr>1.1.1.254</ipaddr>
            <subnet>28</subnet>
            <ipaddrv6>dhcp6</ipaddrv6>
            <dhcp6-duid></dhcp6-duid>
            <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
            <dhcp6cvpt>bk</dhcp6cvpt>
<adv_dhcp6_prefix_selected_interface>wan</adv_dhcp6_prefix_selected_interface>
        </wan>
        <lan>
            <enable></enable>
            <if>em1</if>
            <descr><![CDATA[LAN]]></descr>
            <spoofmac></spoofmac>
            <ipaddr>192.168.100.1</ipaddr>
            <subnet>24</subnet>
        </lan>
        <opt1>
            <if>em2</if>
            <descr><![CDATA[WAN2]]></descr>
            <spoofmac></spoofmac>
            <enable></enable>
            <blockpriv></blockpriv>
            <ipaddr>1.1.2.250</ipaddr>
            <subnet>28</subnet>
        </opt1>
        <opt2>
            <if>em3</if>
<descr><![CDATA[PublicWIFI]]></descr>
            <ipaddr>192.168.99.1</ipaddr>
            <subnet>32</subnet>
            <gateway>PublicWiFi_GW</gateway>
            <spoofmac></spoofmac>
        </opt2>
    </interfaces>
    <staticroutes>
        <route>
            <network>192.168.111.0/24</network>
            <gateway>GW_LAN</gateway>
            <descr><![CDATA[Test-Netzwerk (ANU)]]></descr>
        </route>
        <route>
            <network>192.168.210.0/24</network>
            <gateway>GW_LAN</gateway>
            <descr><![CDATA[Aditi Adressraum]]></descr>
        </route>
        <route>
            <network>192.168.114.0/24</network>
            <gateway>GW_LAN</gateway>
            <descr><![CDATA[Anu Projektnetzwerk]]></descr>
        </route>
        <route>
            <network>192.168.110.0/24</network>
            <gateway>GW_LAN</gateway>
            <descr><![CDATA[Anu Projektmaschinen]]></descr>
        </route>
    </staticroutes>
    <dhcpd>
        <lan>
            <enable></enable>
            <range>
                <from>192.168.100.200</from>
                <to>192.168.100.254</to>
            </range>
        </lan>
    </dhcpd>
    <dhcpdv6>
        <lan>
            <range>
                <from>::1000</from>
                <to>::2000</to>
            </range>
            <ramode>assist</ramode>
            <rapriority>medium</rapriority>
        </lan>
    </dhcpdv6>
    <snmpd>
        <syslocation></syslocation>
        <syscontact></syscontact>
        <rocommunity>public</rocommunity>
    </snmpd>
    <diag>
        <ipv6nat></ipv6nat>
    </diag>
    <syslog>
        <filterdescriptions>1</filterdescriptions>
        <filter_settings>
            <cronorder>reverse</cronorder>
        </filter_settings>
    </syslog>
    <nat>
        <outbound>
            <mode>automatic</mode>
        </outbound>
    </nat>
    <filter>
        <rule>
            <type>pass</type>
            <ipprotocol>inet</ipprotocol>
            <descr><![CDATA[Default allow LAN to any rule]]></descr>
            <interface>lan</interface>
            <tracker>0100000101</tracker>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any></any>
            </destination>
        </rule>
        <rule>
            <type>pass</type>
            <ipprotocol>inet6</ipprotocol>
            <descr><![CDATA[Default allow LAN IPv6 to any rule]]></descr>
            <interface>lan</interface>
            <tracker>0100000102</tracker>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any></any>
            </destination>
        </rule>
        <rule>
            <id></id>
            <tracker>1526032752</tracker>
            <type>pass</type>
            <interface>lan</interface>
            <ipprotocol>inet</ipprotocol>
            <tag></tag>
            <tagged></tagged>
            <max></max>
            <max-src-nodes></max-src-nodes>
            <max-src-conn></max-src-conn>
            <max-src-states></max-src-states>
            <statetimeout></statetimeout>
            <statetype><![CDATA[keep state]]></statetype>
            <os></os>
            <protocol>icmp</protocol>
            <icmptype>any</icmptype>
            <source>
                <any></any>
            </source>
            <destination>
                <any></any>
            </destination>
            <log></log>
            <descr><![CDATA[Ping Everywhere]]></descr>
            <created>
                <time>1526032752</time>
            </created>
            <updated>
                <time>1526032899</time>
            </updated>
        </rule>
        <rule>
            <id></id>
            <tracker>1526031689</tracker>
            <type>pass</type>
            <interface>opt1</interface>
            <ipprotocol>inet</ipprotocol>
            <tag></tag>
            <tagged></tagged>
            <max></max>
            <max-src-nodes></max-src-nodes>
            <max-src-conn></max-src-conn>
            <max-src-states></max-src-states>
            <statetimeout></statetimeout>
            <statetype><![CDATA[keep state]]></statetype>
            <os></os>
            <protocol>udp</protocol>
            <source>
                <any></any>
            </source>
            <destination>
                <network>opt1ip</network>
                <port>1194</port>
            </destination>
            <descr><![CDATA[OpenVPN incoming]]></descr>
            <updated>
                <time>1526031689</time>
            </updated>
            <created>
                <time>1526031689</time>
            </created>
        </rule>
<bypassstaticroutes>yes</bypassstaticroutes>
        <separator>
            <opt1></opt1>
        </separator>
    </filter>
    <shaper></shaper>
    <ipsec></ipsec>
    <aliases></aliases>
    <proxyarp></proxyarp>
    <cron>
        <item>
            <minute>1,31</minute>
            <hour>0-5</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20 adjkerntz -a</command>
        </item>
        <item>
            <minute>1</minute>
            <hour>3</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>0</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20
/etc/rc.update_bogons.sh</command>
        </item>
        <item>
            <minute>*/60</minute>
            <hour>*</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v
-t 3600 sshlockout</command>
        </item>
        <item>
            <minute>*/60</minute>
            <hour>*</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v
-t 3600 webConfiguratorlockout</command>
        </item>
        <item>
            <minute>1</minute>
            <hour>1</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20 /etc/rc.dyndns.update</command>
        </item>
        <item>
            <minute>*/60</minute>
            <hour>*</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v
-t 3600 virusprot</command>
        </item>
        <item>
            <minute>30</minute>
            <hour>12</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20
/etc/rc.update_urltables</command>
        </item>
        <item>
            <minute>1</minute>
            <hour>0</hour>
            <mday>*</mday>
            <month>*</month>
            <wday>*</wday>
            <who>root</who>
            <command>/usr/bin/nice -n20
/etc/rc.update_pkg_metadata</command>
        </item>
    </cron>
    <wol></wol>
    <rrd>
        <enable></enable>
<category>left=system-processor&amp;right=&amp;resolution=300&amp;timePeriod=-1d&amp;startDate=&amp;endDate=&amp;startTime=0&amp;endTime=0&amp;graphtype=line&amp;invert=true&amp;refresh-interval=0</category>
    </rrd>
    <load_balancer>
        <monitor_type>
            <name>ICMP</name>
            <type>icmp</type>
            <descr><![CDATA[ICMP]]></descr>
            <options></options>
        </monitor_type>
        <monitor_type>
            <name>TCP</name>
            <type>tcp</type>
            <descr><![CDATA[Generic TCP]]></descr>
            <options></options>
        </monitor_type>
        <monitor_type>
            <name>HTTP</name>
            <type>http</type>
            <descr><![CDATA[Generic HTTP]]></descr>
            <options>
                <path>/</path>
                <host></host>
                <code>200</code>
            </options>
        </monitor_type>
        <monitor_type>
            <name>HTTPS</name>
            <type>https</type>
            <descr><![CDATA[Generic HTTPS]]></descr>
            <options>
                <path>/</path>
                <host></host>
                <code>200</code>
            </options>
        </monitor_type>
        <monitor_type>
            <name>SMTP</name>
            <type>send</type>
            <descr><![CDATA[Generic SMTP]]></descr>
            <options>
                <send></send>
                <expect>220 *</expect>
            </options>
        </monitor_type>
    </load_balancer>
    <widgets>
<sequence>system_information:col1:open:0,interfaces:col2:open:0,gateways:col2:open:0,traffic_graphs:col2:open:0</sequence>
        <period>10</period>
    </widgets>
    <openvpn></openvpn>
    <dnshaper></dnshaper>
    <unbound>
        <enable></enable>
        <dnssec></dnssec>
        <active_interface>all</active_interface>
<outgoing_interface>wan,opt1</outgoing_interface>
        <custom_options></custom_options>
        <hideidentity></hideidentity>
        <hideversion></hideversion>
        <dnssecstripped></dnssecstripped>
        <port></port>
<system_domain_local_zone_type>transparent</system_domain_local_zone_type>
    </unbound>
    <cert>
        <refid>5af55220d03bc</refid>
        <descr><![CDATA[webConfigurator default
(5af55220d03bc)]]></descr>
        <type>server</type>
<crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZqekNDQkhlZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBRENCdERFTE1Ba0dBMVVFQmhNQ1ZWTXgKRGpBTUJnTlZCQWdUQlZOMFlYUmxNUkV3RHdZRFZRUUhFd2hNYjJOaGJHbDBlVEU0TURZR0ExVUVDaE12Y0daVApaVzV6WlNCM1pXSkRiMjVtYVdkMWNtRjBiM0lnVTJWc1ppMVRhV2R1WldRZ1EyVnlkR2xtYVdOaGRHVXhLREFtCkJna3Foa2lHOXcwQkNRRVdHV0ZrYldsdVFIQm1VMlZ1YzJVdWJHOWpZV3hrYjIxaGFXNHhIakFjQmdOVkJBTVQKRlhCbVUyVnVjMlV0TldGbU5UVXlNakJrTUROaVl6QWVGdzB4T0RBMU1URXdPREU1TkRWYUZ3MHlNekV4TURFdwpPREU1TkRWYU1JRzBNUXN3Q1FZRFZRUUdFd0pWVXpFT01Bd0dBMVVFQ0JNRlUzUmhkR1V4RVRBUEJnTlZCQWNUCkNFeHZZMkZzYVhSNU1UZ3dOZ1lEVlFRS0V5OXdabE5sYm5ObElIZGxZa052Ym1acFozVnlZWFJ2Y2lCVFpXeG0KTFZOcFoyNWxaQ0JEWlhKMGFXWnBZMkYwWlRFb01DWUdDU3FHU0liM0RRRUpBUllaWVdSdGFXNUFjR1pUWlc1egpaUzVzYjJOaGJHUnZiV0ZwYmpFZU1Cd0dBMVVFQXhNVmNHWlRaVzV6WlMwMVlXWTFOVEl5TUdRd00ySmpNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0QXFKRnNwN1lBSkRydGwyNUNjdURvQ2kKOGhIQ1lxN1pES2t1eFNTdUZTVVYwUnFxcHZmWUtwVHVITkpaMGxUYjV0MHBFVGI5TnYvYVlLRnJhdDRTdmJodwpQRGxvS3hBTTlFYmU3bHc2bHZhckpnTlJjVlYxQ0F3TzN0UzdYS2duMWQrYUFPbmhYZUlENDlrK2hBbGpvTkJDCmVuSzB1Z3drU1ZkZHMrZXZJSEc5a3QwcHZPYWZqZGRVY3V5ck1VWmVoakErQXl2OXVhVVZiTzVXeUFtaHNmOXYKN3QwMDY1aWNxWFBZY1hRK3dXSFAxVUliQ1hKR0NOMWlTVnVJbmd2WjVJY2taMEdhczV5WTZQOVBkYW9YK0RPTgpUSDVFYlpTOVhiWmNrYUxyaWU4bW1Yb05GYUhpVE0yQzJpaCtZWURSdWVEc1o1cEFobU8weXRJS1pmMFF1d0lECkFRQUJvNElCcURDQ0FhUXdDUVlEVlIwVEJBSXdBREFSQmdsZ2hrZ0JodmhDQVFFRUJBTUNCa0F3Q3dZRFZSMFAKQkFRREFnV2dNRE1HQ1dDR1NBR0crRUlCRFFRbUZpUlBjR1Z1VTFOTUlFZGxibVZ5WVhSbFpDQlRaWEoyWlhJZwpRMlZ5ZEdsbWFXTmhkR1V3SFFZRFZSME9CQllFRklvbGNUNTh3WksybXd1emlMdVJCVks2ZThuY01JSGhCZ05WCkhTTUVnZGt3Z2RhQUZJb2xjVDU4d1pLMm13dXppTHVSQlZLNmU4bmNvWUc2cElHM01JRzBNUXN3Q1FZRFZRUUcKRXdKVlV6RU9NQXdHQTFVRUNCTUZVM1JoZEdVeEVUQVBCZ05WQkFjVENFeHZZMkZzYVhSNU1UZ3dOZ1lEVlFRSwpFeTl3WmxObGJuTmxJSGRsWWtOdmJtWnBaM1Z5WVhSdmNpQlRaV3htTFZOcFoyNWxaQ0JEWlhKMGFXWnBZMkYwClpURW9NQ1lHQ1NxR1NJYjNEUUVKQVJZWllXUnRhVzVBY0daVFpXNXpaUzVzYjJOaGJHUnZiV0ZwYmpFZU1Cd0cKQTFVRUF4TVZjR1pUWlc1elpTMDFZV1kxTlRJeU1HUXdNMkpqZ2dFQU1CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRgpCd01CQmdnckJnRUZCUWdDQWpBZ0JnTlZIUkVFR1RBWGdoVndabE5sYm5ObExUVmhaalUxTWpJd1pEQXpZbU13CkRRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHSmtRdlh6dFh5L1RVQWk1ek9KK3JOc0dGcjZMVWlVSFVRbVNxSUsKdVB0cWNDUkpCalhiYTV1cTVIR0hLRzZsbXErR2JzSTFBUisveDdGaXZ0RGZOc1JlWHlhL0xWNVVWTnZ3cUVSRwpkUTk2LzNNS0wweWpjQWc4SUNxOWZKd2VQdTd3aHdRQTNEcENEYUtTSXJXdUFvZE5ORUNCc1h1Nk5GQ1VKWGUvCmpOZXpjZzgrNEpVSFB3dUs4NnNmTlUxNS9UNGJ5NGxJZlF5U1QrcFZ6R0VPaHlLYm1aRU5qd0FXM0NETjRrckgKQVRpejZsdWZ4MlN6UGcyYlhYbld6SUxJQlBoS3pENUkwZ0FBZE94MlVTb2l4dWthaXR3aEJPWU5ONUllNEhHYgpjaGxvM3JBRkdFSnA2NjhuV2pjTEVnc09VVitvZjMvcy9nS1NmTGlKQklKcGM0QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</crt>
<prv>LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQzBDb2tXeW50Z0FrT3UKMlhia0p5NE9nS0x5RWNKaXJ0a01xUzdGSks0VkpSWFJHcXFtOTlncWxPNGMwbG5TVk52bTNTa1JOdjAyLzlwZwpvV3RxM2hLOXVIQThPV2dyRUF6MFJ0N3VYRHFXOXFzbUExRnhWWFVJREE3ZTFMdGNxQ2ZWMzVvQTZlRmQ0Z1BqCjJUNkVDV09nMEVKNmNyUzZEQ1JKVjEyejU2OGdjYjJTM1NtODVwK04xMVJ5N0tzeFJsNkdNRDRESy8yNXBSVnMKN2xiSUNhR3gvMi91M1RUcm1KeXBjOWh4ZEQ3QlljL1ZRaHNKY2tZSTNXSkpXNGllQzlua2h5Um5RWnF6bkpqbwovMDkxcWhmNE00MU1ma1J0bEwxZHRseVJvdXVKN3lhWmVnMFZvZUpNellMYUtINWhnTkc1NE94bm1rQ0dZN1RLCjBncGwvUkM3QWdNQkFBRUNnZ0VBTzlqWXN4dkJvU3QvaGlyQmk1dStncEdlR0t0d20wOFYxVkNUdkhLeDcxTngKaWgyOEpsNXltOHovemRMYWlzRXNpL1J1UjB1cEpsUXNLanplTVJyNnpkZjJidjZDTXZaVjZBbDY1MjcvQnRtZQpFTGUvcGRYTFhrNXJ6d1NWOTNucUsvejArMkxEU0dydDhocHYzb0lrZlB0ZGJjaWRiTTdHYlI2K2hpUDRvZWErCkNQVEhkVFpIWXRNWmhITmh6SFh5K1hCeEp2ZWJOSWg5ZWZoMjUrMWJuZDNsUUtyTi9TMmVuWFVVRDRUZFFWYncKT2RYM2IwQ3lUN3I2Nmpwem5zTG1LalJqR3FFQWI4OW1kamJLYnVuY1oxYzB1RnQ3Q3phY2ZqYVZyYngrd0p6cgpWYW5laXBjWjRablp0OGoyZWZ3NlA3NzB3bklSenJNQXh1ZFMwVnlXVVFLQmdRRG5FZTJZbCs2Mk1FL015TjJ3CkpxRU5rdWhYYzBWL1dNRDQvNEhoYng5RDhYNm13RkZ4NUVrRzQ3RElHVlZYYXlTMjFXblJzUU16ajZnNXJQWDQKVFl3S1o0eWFubVY1N2NuY0lTalVqSTlTTWRvSmxKSDZzNXVrOGdOZENpV2t0SWhubjk5MmI3aWRRYm9rOS9ycwpsK2U1UXBQSXQ3TUdzS3hidTRuaUxOc3ZhUUtCZ1FESGR6VS9Ld2o5cFk3LzYyNkExTFh3WmRtbjExTzRGa1pFCnpKWHJCL0pUdjhHNHZEckR5dWNNZTNaem40V2NvYzd5YkQ5YVo5YVI5US9hVEdibnQ2Z3dRaFkrY292SXhTckQKTTRqZUdCNGhNbUlSbFlsZmxsanhFV2JzRU1QUVBUb2psLzczQUtpQTFqN1JwaDhRdjRUYmRENWN1UVl2OTI3QgpUa1JqWk9tZWd3S0JnUURrK09FR2F0ZkRkZEE5ejNYT1Roa2R5RXV3REt2N2EwbWQ5Q01SN3ZsK2JGbmloNFN0ClpWZndHY1JlSkt4cXVlTmh3Y3pnVzVZZWkrWlpjTWsweWpOUlJCY1NTSStwNlRZMGlpOVpvQWVOblpUQUZaY3EKWkx5QkVNakFjNE9sMkxlcVo4UWFLczg0RlorTmJxWVp1TldJd1M2TW9Xd24zdjZNMENQc0dpTUFzUUtCZ0FvcgpKSmJFemQrSWFpTFgwTGxXbnJQVHJXWG1EMG1LTVNqZXVTSFROT0phR3prY3QyNDEwTk9ORTd2UFBST0FHRG01CmxQMDUzL0Z1NmRENkppRFg5d1lHeUhXRWgyWER6MnRHSEVzZU5hTUJtNGhEOUUzZ0wwYVMyWWxkVFc0M1FOaUIKcmlqUGFzZXVwR014c2RHN3diMGlUdStSS3lTVTI1dVZMdDFXVHFhYkFvR0JBTEtCMTE1QzFaMExvdUtDUXpEdwpwV2JFTUhBTmVZbU91dExnLzdFRTN4QjNBbjJyK0Z4S1FIQ2FDUDQzblI3dThGSTZXdWNmakphcWlpQ1NUWjl0CnJHQVBQWUZmRjVIMGV1WFczZDhGckcwa3dsUVAxV3pRdzdZN1dISDB4Z2p4MThsdndvcEFYd29wMk16ZnpPMFoKVmNpajFkd09qbVQranJCOFdwVHArV1k3Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K</prv>
    </cert>
    <revision>
        <time>1526279936</time>
/system_usermanager.php made unknown change]]></description>
    </revision>
    <ntpd></ntpd>
    <dhcrelay></dhcrelay>
    <dhcrelay6></dhcrelay6>
    <wizardtemp>
        <system>
            <hostname>pfSenseOne</hostname>
            <domain>xy.zz</domain>
        </system>
        <wangateway>1.1.1.250</wangateway>
    </wizardtemp>
    <ppps></ppps>
    <gateways>
        <gateway_item>
            <interface>opt2</interface>
            <gateway>192.168.99.1</gateway>
            <name>PublicWiFi_GW</name>
            <weight></weight>
            <ipprotocol></ipprotocol>
            <descr><![CDATA[Public WiFi Gateway]]></descr>
        </gateway_item>
        <gateway_item>
            <interface>lan</interface>
            <gateway>192.168.100.1</gateway>
            <name>GW_LAN</name>
            <weight>1</weight>
            <ipprotocol>inet</ipprotocol>
            <descr><![CDATA[LAN Gateway]]></descr>
            <monitor>192.168.100.1</monitor>
        </gateway_item>
    </gateways>
    <notifications>
        <growl>
            <ipaddress></ipaddress>
            <password></password>
            <name>pfSense-Growl</name>
            <notification_name>pfSense growl alert</notification_name>
            <disable></disable>
        </growl>
        <smtp>
            <ipaddress></ipaddress>
            <port>587</port>
            <ssl></ssl>
            <timeout></timeout>
<notifyemailaddress></notifyemailaddress>
            <username>pfsense</username>
<authentication_mechanism>PLAIN</authentication_mechanism>
            <fromaddress></fromaddress>
            <password></password>
        </smtp>
    </notifications>
    <virtualip>
        <vip>
            <mode>ipalias</mode>
            <interface>lan</interface>
            <uniqid>5af55ff0656d2</uniqid>
            <descr><![CDATA[Anu Projektmaschinen]]></descr>
            <type>single</type>
            <subnet_bits>24</subnet_bits>
            <subnet>192.168.110.1</subnet>
        </vip>
        <vip>
            <mode>ipalias</mode>
            <interface>lan</interface>
            <uniqid>5af5666f562a0</uniqid>
            <descr><![CDATA[Aditi Adressraum]]></descr>
            <type>single</type>
            <subnet_bits>24</subnet_bits>
            <subnet>192.168.210.1</subnet>
        </vip>
        <vip>
            <mode>ipalias</mode>
            <interface>lan</interface>
            <uniqid>5af5668fc803f</uniqid>
            <descr><![CDATA[Anu Projektnetzwerk]]></descr>
            <type>single</type>
            <subnet_bits>24</subnet_bits>
            <subnet>192.168.114.1</subnet>
        </vip>
        <vip>
            <mode>ipalias</mode>
            <interface>lan</interface>
            <uniqid>5af5680307a0e</uniqid>
<descr><![CDATA[Test-Netzwerk]]></descr>
            <type>single</type>
            <subnet_bits>24</subnet_bits>
            <subnet>192.168.111.1</subnet>
        </vip>
    </virtualip>
</pfsense>
thank you!
Fabian
Post by Fabian Bosch
Hi,
I spent hours in this to get this running under version 2.4.3.
It's still the case that I get some kind of routing-loop at LAN
interface if I want to route between subnets which leads to lost
ping-echo requests or the disability to interconnect between subnets.
Even the ARP-table is showing the proper mappings for virtualPs of
LAN Interface, only the packages got lost.
I cannot imagine the problem anymore whether it resides in the
configuration or it is simply a hardware-issue.
I need help from you guys so I attached the minimalized configuration
backup file and I am thankful for everyone to take a look at it and
test this out.
Password is reset to default 'pfsense' and WAN-gateways and WAN
Interfaces should/could be reconfigured.
cheers
Fabian
Post by Fabian Bosch
Hi,
Yes I cecked the Bypass firewall checkbox.
There it says
"This option only applies if one or more static routes have been
defined. If it is enabled, traffic that enters and leaves through
the same interface will not be checked by the firewall. This may be
desirable in some situations where multiple subnets are connected to
the same interface."
Because of that I set up my static routes for this Interface.
Meanwhile I updated to v2.4.2_1 - have to test it again.
Are there any other ideas of possible differences in automatic
routing between v2.3.x and v.2.4.x since there is also a change of
underlying FreeBSD-Version.
cheers!
Fabian
Post by PiBa
Hi Fabian,
System/Advanced/Firewall & NAT: "Static route filtering, Bypass
firewall rules for traffic on the same interface"
As for your 'static routes', i'm not sure what purpose they serve..
Routing between subnets known on a pfSense interface is 'automatic'.
Regards,
PiBa-NL
Post by Fabian Bosch
Hello,
I cannot switch from Version 2.3.3 to 2.4.1 because of the routing
at the same interface.
I transfered the backup.xml from machine A (2.3.3) to machine B
(2.4.1) and everything worked fine but the routing between Subnets
assigned at LAN-Interface.
There are multiple subnets set up via VirtualIPs and there are
static routes to each of the subnets via the native LAN-Gateway
Adress e.g route 192.168.110.0/24 via GW_LAN(192.168.100.1) and
assigned VirtualIP in this case 192.168.110.1
Since this configuration runs well on 2.3.3 I wanted to ask
whether there are major changes in default handling of traffic at
the same interface. In 2.3.3 you don't need firewall-rules to
allow traffic between subnets at the same interface - did this
change in 2.4.1?
Thanks!
Fabian
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Continue reading on narkive:
Loading...