SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0001132: Static Routes defined in GUI dont work properly - MantisBT
MantisBT - Endian Firewall
View Issue Details
0001132Endian FirewallMigrationpublic2008-07-16 15:442013-06-05 14:58
mablass 
 
normalminorhave not tried
acknowledgedopen 
2.2-rc1 
 
0001132: Static Routes defined in GUI dont work properly
i definded some static routes in the gui. ping to the destination network worked correctly. ssh for example not. after trying some things out with firewall settings i decided to put the routes directly to the system by using route add -net 1 ... in the efw server. now everything is fine. as the new 2.2. allows to use a gui but the result is not working i guess its a problem :)

No tags attached.
related to 0000877closed peter-endian Static route donĀ“t work 
Issue History
2008-07-16 15:44mablassNew Issue
2008-07-16 17:04mablassNote Added: 0001451
2008-07-16 17:11peter-endianNote Added: 0001452
2008-07-18 21:33mablassNote Added: 0001463
2008-09-09 13:59peter-endianRelationship addedrelated to 0000877
2009-02-24 16:21BrainsNote Added: 0001995
2009-06-12 14:44TelemakNote Added: 0002611
2009-06-12 15:59luca-endianNote Added: 0002612
2009-06-12 19:36TelemakNote Added: 0002618
2009-06-22 15:44TelemakNote Added: 0002652
2009-06-22 16:49peter-endianNote Added: 0002653
2009-06-29 14:13luca-endianNote Added: 0002692
2009-06-29 14:34TelemakNote Added: 0002694
2009-06-30 12:38TelemakNote Added: 0002702
2010-01-06 15:51n9ytyNote Added: 0003649
2010-01-07 15:19peter-endianStatusnew => feedback
2010-01-30 13:12sifi986Note Added: 0003726
2010-09-23 15:44peter-endianStatusfeedback => acknowledged
2010-11-23 02:07ytechNote Added: 0005179
2011-09-14 06:18SheldmanduNote Added: 0007404
2012-03-02 18:11shairozanNote Added: 0007740
2012-05-06 03:23cemendesNote Added: 0007858
2013-06-05 14:58ltintiNote Added: 0008433

Notes
(0001451)
mablass   
2008-07-16 17:04   
update: the problem can only be solved by adding some additional NAT rule for the target network. actually i believe the topic is related to 0000444. ping works with the gui defintion but not other services
(0001452)
peter-endian   
2008-07-16 17:11   
are you sure that you don't miss the return route or default route on the other side?
mentioning the NAT rules would make me think of that
(0001463)
mablass   
2008-07-18 21:33   
when using a hardwarebox everything works fine. i just downgraded to endian 2.1.2 and added static routes. everything is ok - but 2.2 makes trouble
(0001995)
Brains   
2009-02-24 16:21   
Confirmed - static routes added via the GUI are never passed down to the kernel.

Adding routes via the shell works as intended (ie. route add -net <network> gw <gateway>)
(0002611)
Telemak   
2009-06-12 14:44   
Confirmed for me too with 2.2 final
(0002612)
luca-endian   
2009-06-12 15:59   
Can you paste the output of these commands:
cat /var/efw/routing/config
ip rule show
(0002618)
Telemak   
2009-06-12 19:36   
In this configuration, the route don't work all the time, but only after making a traceroute in the pc.
But after puting it by the route add command, maybe it works better. I will have result of this test Monday.
(0002652)
Telemak   
2009-06-22 15:44   
It's all ok if I put the routes with this command in ssh :

route add -host 80.74.67.37 gw 10.10.13.2
route add -net 81.1.62.224 netmask 255.255.255.224 gw 10.10.13.2
route add -net 136.9.0.0/16 gw 10.10.13.2

For helping...

Telemak
(0002653)
peter-endian   
2009-06-22 16:49   
you created routing entries which direct traffic *from* 10.10.13.00/24 to several networks to the gateway 10.10.13.2

For example this rule:
on,10.10.13.0/24,6x.xx.xx.0/24,10.10.13.2,,,,,,,,

means, that *only* traffic from 10.10.13.0/24 to that external network goes through gateway 10.10.13.2. Maybe that is not what you want. Maybe you want direct *all* traffic to that external ip through the gateway?

That's what you did with the route commands. Those route commands aren't exactly the same configuration as through the GUI. BTW, "route" is a deprecated interface and may be overruled by other ip rule entries.

Try to remove the source-part of your GUI rules, that should then be the same as you did with the route commands.
(0002692)
luca-endian   
2009-06-29 14:13   
can you gently paste the output of this command:

ip route show table 5

thank you
(0002694)
Telemak   
2009-06-29 14:34   
Puting a source or not ? I will try but if I've choice, I prefer puting a source. (And all the PC concerned are really in 10.10.13.0/24, the others may not use this routes).

ip route show table 5 give :
default via 10.10.13.2 dev br0
(0002702)
Telemak   
2009-06-30 12:38   
In the GUI, in the routing page, the source is shown as required. But like you say, we can not fill it with no GUI error.
I've corrected the routes by removing source and not puting it manually in kernel routing. Then I obtain :

Commande : route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.23.0 * 255.255.255.0 U 0 0 0 eth1
10.10.13.0 * 255.255.255.0 U 0 0 0 br0
default 10.10.23.200 0.0.0.0 UG 0 0 0 eth1

Commande : ip route show table 5
Same as above

Comande : ip route show
0: from all lookup local
5: from all to 10.10.13.200/24 lookup main
5: from all to 10.10.23.0/24 lookup main
10: from all to 62.23.96.0/24 lookup 5
10: from all to 80.74.67.37 lookup 5
10: from all to 81.1.62.224 lookup 5
10: from all to 136.9.0.0/16 lookup 5
10: from all to 192.28.103.0/24 lookup 5
10: from all to 193.56.211.51 lookup 5
10: from all to 193.56.211.53 lookup 5
10: from all to 193.56.211.81 lookup 5
10: from all to 194.51.14.0/16 lookup 5
10: from all to 194.206.181.240 lookup 5
10: from all to 194.206.181.252 lookup 5
10: from all to 195.46.218.22 lookup 5
10: from all to 212.234.59.105 lookup 5
10: from all to 212.234.59.239 lookup 5
10: from all to 66.225.239.127 lookup 5
10: from all to 212.234.229.40 lookup 5
10: from all to 10.10.10.0/24 lookup 5
10: from all to 10.10.11.0/24 lookup 5
10: from all to 10.10.12.0/24 lookup 5
10: from all to 10.10.14.0/24 lookup 5
199: from all fwmark 0x7e0/0x7f8 lookup uplink-main
200: from 10.10.23.100 lookup uplink-main
32766: from all lookup main
32767: from all lookup default

Say me if you want something more.
(0003649)
n9yty   
2010-01-06 15:51   
Is this still under investigation? I am setting up a new endian v2.3 system and am seeing the exact same problem. Adding a route in the GUI does not allow it to work. Primarily I am trying to add a route to a network behind another router on the GREEN interface. Setting it up in the GUI without a source address does not update the kernel tables, and other output is identical to what is shown above in terms of ip route show table 5 and the efw/routing/config file. Yet doing a route command at the shell works as expected.
(0003726)
sifi986   
2010-01-30 13:12   
ip is the replacement command from the iputils package, and is used to alter routing tables in Endian. Routes can be placed in many tables, only table 254 (main) is operated on by kernel routing table or displayed in output of route command.

Note that tables other than 254 are not displayed by the route command i.e. table 5 is not shown, but is acted on if input to GUI is in the correct format and routing will be successful.

When Endian adds routes to networks behind Green in EFW page Network/Routing/Static routing/Add new route. The new route is added to table 5 and can be seen as above, by command "ip route show table 5" more detailed display by using "ip rule show" and "ip route show all" Note. table 5 is a rule.

A source address need not be specified (Even thou the field id, is marked with an asterisk (*This Field is required)

The Destination network must be entered in CDIR notation i.e. /24 for 255.255.255.0

Route Via* Static Gateway is entered as a IP address in dotted decimal notation.

After entering network behind green details into GUI full routing is fully functional on 2.3

Maybe Endian could add note to page advising to use CDIR notation for addresses in network dialogue boxes on this screen. (New documentation on web has been updated to reflect this too, which is good. Click help in top right hand corner)
(0005179)
ytech   
2010-11-23 02:07   
I have the latest version 2.41 (2.6.32.25-57.e40.i586) the same version with 2 real machines and one virtual lab and the issue continues. It is necessary to add route manually.

Thanks
(0007404)
Sheldmandu   
2011-09-14 06:18   
I have the latest version as well and there is still the issue. Adding the route manually by connecting via SSH and running route add command works fine as a workaround
(0007740)
shairozan   
2012-03-02 18:11   
I also have the latest version 2.5 R1 and this is still an issue. Is anyone actually working on this issue? The last time I see a non-reporter working on this was in 2009
(0007858)
cemendes   
2012-05-06 03:23   
That still a problem on 2.5.1. Any way we can get it fixed?
(0008433)
ltinti   
2013-06-05 14:58   
To save the route commands manually, add them to /etc/init.d/rc.local.

Something like

#!/bin/sh

route add -net 10.0.0.0/24 gw 192.168.0.2

exit 0