Wrong gateway ethernet address used with static routes.

tbyte · Dec 6, 2023

The kernel is 14.0-CURRENT FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_1-n255918-774957be06d: Wed Nov 15 17:41:06 UTC 2023
I have a simple routing table on pfSense 2.7.1 (10.10.1.104) :

Code:

Destination        Gateway            Flags     Netif Expire
default            10.10.1.100        UGS      vtnet0
10.10.1.0/24       link#1             U        vtnet0
10.10.1.104        link#4             UHS         lo0
10.10.16.0/23      10.10.1.102        UGS      vtnet0

And this in the arp table:

Code:

? (10.10.1.100) at 0c:c4:7a:90:7e:c4 on vtnet0 expires in 906 seconds [ethernet]
? (10.10.1.102) at ac:1f:6b:68:09:22 on vtnet0 expires in 396 seconds [ethernet]

But when I ping 10.10.1.104 (the pfSense) from 10.10.16.250 this happens:

Code:

19:08:34.487285 ac:1f:6b:68:09:22 > a2:b9:d4:a0:34:08, ethertype IPv4 (0x0800), length 98: 10.10.16.250 > 10.10.1.104: ICMP echo request, id 60167, seq 0, length 64
19:08:34.487372 a2:b9:d4:a0:34:08 > 0c:c4:7a:90:7e:c4, ethertype IPv4 (0x0800), length 98: 10.10.1.104 > 10.10.16.250: ICMP echo reply, id 60167, seq 0, length 64
19:08:35.550616 ac:1f:6b:68:09:22 > a2:b9:d4:a0:34:08, ethertype IPv4 (0x0800), length 98: 10.10.16.250 > 10.10.1.104: ICMP echo request, id 60167, seq 1, length 64
19:08:35.550678 a2:b9:d4:a0:34:08 > 0c:c4:7a:90:7e:c4, ethertype IPv4 (0x0800), length 98: 10.10.1.104 > 10.10.16.250: ICMP echo reply, id 60167, seq 1, length 64

For some reason FreeBSD 14 sends the packet to the DEFAULT gateway's ethernet address (0c:c4:7a:90:7e:c4) and not to the actual gateway for 10.10.16.0/23 which is 10.10.1.102 (ac:1f:6b:68:09:22).
And this is the output of route get:

Code:

   route to: 10.10.16.250
destination: 10.10.16.0
       mask: 255.255.254.0
    gateway: 10.10.1.102
        fib: 0
  interface: vtnet0
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

That is not supposed to happen and there are no other FIBs. Am I missing something?

SirDice · Dec 6, 2023

tbyte said:
The kernel is 14.0-CURRENT FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_1-n255918-774957be06d: Wed Nov 15 17:41:06 UTC 2023

Old, 14.0-CURRENT doesn't exist anymore, since it got an actual 14.0-RELEASE. Besides that, -CURRENT certainly isn't a supported version. Upgrade to releng/14.0 or stable/14.
Topics about unsupported FreeBSD versions

tbyte said:
I have a simple routing table on pfSense 2.7.1 (10.10.1.104)

GhostBSD, pfSense, TrueNAS, and all other FreeBSD Derivatives

tbyte · Dec 6, 2023

SirDice said:
Old, 14.0-CURRENT doesn't exist anymore, since it got an actual 14.0-RELEASE. Besides that, -CURRENT certainly isn't a supported version. Upgrade to releng/14.0 or stable/14.
Topics about unsupported FreeBSD versions

GhostBSD, pfSense, TrueNAS, and all other FreeBSD Derivatives

Sure but it's a client uses pfSense and they for some reason decided to use -CURRENT and it's the latest version.
I'll test it on a releng/14 updated today and see what happens.

SirDice · Dec 6, 2023

tbyte said:
Sure but it's a client uses pfSense and they for some reason decided to use -CURRENT and it's the latest version.

pfSense is a completely separate project, they can use whichever version they want. They also have a whole bunch of local changes. That's one of the reasons why it's not supported here.

mer · Dec 6, 2023

is 10.10.16.250 on the pfsense box itself or outside the pfsense box?
It's unclear to me where you are originating the ping to 10.10.1.104 from.

tbyte · Dec 6, 2023

mer said:
is 10.10.16.250 on the pfsense box itself or outside the pfsense box?
It's unclear to me where you are originating the ping to 10.10.1.104 from.

Strange it pretty clear if you look at the routing table. 10.10.16.250 is a FreeBSD box behind another (10.10.1.102) router.

tbyte · Dec 6, 2023

SirDice said:
pfSense is a completely separate project, they can use whichever version they want. They also have a whole bunch of local changes. That's one of the reasons why it's not supported here.

I posted the question there too. Didn't know they have local kernel changes, thanks!

covacat · Dec 6, 2023

do you have pf route-to reply-to stuff ?

tbyte · Dec 6, 2023

covacat said:
do you have pf route-to reply-to stuff ?

Doesn't that just match packets?
There is this

Code:

pass out route-to (vtnet0 10.10.1.100) inet from 10.10.1.104 to ! 10.10.1.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000003711

covacat · Dec 6, 2023

well, i suck at pf but i know route-to and reply-to can override kernel's routing table

tbyte · Dec 6, 2023

covacat said:
well, i suck at pf but i know route-to and reply-to can override kernel's routing table

I suck at it too. I prefer IPFW

. I have to look more closely at that rule then.

tbyte · Dec 6, 2023

covacat said:
well, i suck at pf but i know route-to and reply-to can override kernel's routing table

Well, thank you! That was the problem and there is an option to stop pfSense from adding those reply-to!

Wrong gateway ethernet address used with static routes.

tbyte

SirDice

Administrator

tbyte

SirDice

Administrator

mer

tbyte

tbyte

covacat

tbyte

covacat

tbyte

tbyte