News: This forum is now permanently frozen.
Pages: [1]
Topic: Static Routes Going Beyond Intended Scope  (Read 6812 times)
« on: March 07, 2009, 18:35:20 »
knightmb ****
Posts: 341

Using m0n0wall version 1.235
3Com 3C905-TX Cards (all of them)

I noticed that when I create a new static route, the route seems to step over the scope as I understand it in the interface.

For example, I have a m0n0wall system with three internal networks (We'll call them LAN1, LAN2, LAN3)
m0n0wall LAN = 192.168.0.1, 192.168.5.1
Lan1 = 192.168.0.0/24
Lan2 = 192.168.5.0/24
Lan2 = 192.168.35.0/24

Now, they both go through the same WAN without any issues. But on the same network, I've setup another gateway (through a separate ISP that will use the IP address 192.168.35.254 in this example) and if I add this gateway to either PC on either of those internal networks, they will use the other gateway without any issues.

But rather than adding additional gateways to all the PCs, I want the 192.168.5.0/24 network to go out the other gateway (192.168.35.254) for Internet access. I can achieve this automatically on the fly if I go into m0n0wall and create a new static route like so.

Interface: LAN2
Network: 0.0.0.0/1
Gateway: 192.168.35.254

Save and Apply, magically, all computers on the LAN2 now route all their Internet activity through the second gateway as planned (well half of it anyway, I would need a second route to cover the other half of the Internet).

The weird thing is, now LAN1 is doing the same thing. As I understand the rule, it should only be applying to LAN2, but it appears it applies to both LAN1 and LAN2 ? LAN1 is now routing all it's Internet activity through the second gateway instead of the m0n0wall default gateway.

If anyone has some explanation, it would be greatly appreciated. Am I dealing with a bug in m0n0wall or am I not understanding how m0n0wall handles static routes? I thought when it ask for the Interface that it applies to (LAN1, LAN2, LAN3, WAN) then it's asking only the interface that particular rule applies to and not to every interface (which would cause a mess right?).

I check the routing tables in the status.php and the route is there, though it looks like it's formatted to apply to all interfaces instead of just the single one I picked?

Any info would be greatly appreciated.
« Last Edit: March 07, 2009, 18:36:59 by knightmb »

Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #1 on: July 20, 2009, 20:27:28 »
Manuel Kasper
Administrator
*****
Posts: 364

It's been a while, but just to settle this issue in case somebody else stumbles upon it in the future...

m0n0wall's static routes are simple destination routes; the source IP address is not considered. It wouldn't even be possible in FreeBSD 6.x since there's only one routing table (system-wide). Well yes, one can do nasty tricks with ipfw fwd, but that's out of scope.

The only reason why the interface needs to be specified at all when adding a static route is so that m0n0wall can set up the implicit anti-spoofing firewall rules properly (a kind of reverse path filtering).
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines