@jake said in Changing from interface from default gateway breaks OSPF routing: I have an interface that needs to utilize WAN2, which is the backup internet connection. I created a gateway group that has WAN2 as the tier 1 and WAN1 as tier 2. I set the interface to use this new gateway group and it works as expected. Now traffic, that orginates from this interface, that is suppose to use OSPF to a remote location does not route. How can I put the OSPF routes first and keep the gateway group with WAN2 as primary? Just create a firewall rule, allowing source to destination, use gateway default, and make sure this rule is above the rule that routes to the Internet that has a gateway group set.

@johnpoz said in LAN and Home Server on Different Subnets: @jg2003 the benefit you could get from having your server on a different network than your wireless devices is you could limit what they can access on the server. For example my wireless networks can only access plex running on my nas via port 32400.. They can not access the gui of the nas, they can not access smb shares, etc. You could also do this via your servers firewall if you wanted. Your example does interest me, so I may try to set it up for limited access as well. Thanks for you time.

@isi098 Grok answered the following question: Fundamentally why is having multiple interfaces on a router or firewall using IP addresses in the same subnet not best practice? Having multiple interfaces on a router or firewall assigned IP addresses from the same subnet (i.e., connecting those interfaces to the same logical network or broadcast domain) is generally considered poor practice in network design. This stems from core principles of IP networking, routing behavior, and security. Below, I'll break down the fundamental reasons why, focusing on technical and operational issues rather than specific vendor implementations. 1. Violates the Principle of Subnet Segmentation Routers and firewalls are Layer 3 (L3) devices designed to separate and route traffic between different subnets or network segments. Each interface is typically intended to represent a unique broadcast domain or security zone. If multiple interfaces share the same subnet, you're effectively treating them as part of the same network, which undermines the device's role in segmentation. This can lead to the device behaving more like a Layer 2 (L2) bridge or switch (forwarding traffic at the MAC level) rather than routing at IP level, potentially bypassing intended routing logic or access controls. Consequence: It reduces the benefits of network isolation, such as controlling broadcast traffic, implementing VLANs, or enforcing policies between zones. For example, broadcasts (e.g., ARP requests) would flood all interfaces in that subnet, increasing unnecessary traffic and CPU load on the device. 2. Causes ARP and MAC Address Resolution Issues In a subnet, devices use ARP (Address Resolution Protocol) to map IP addresses to MAC addresses. If a router/firewall has multiple interfaces in the same subnet, each interface has its own MAC address but shares the same IP subnet. Hosts in the subnet might ARP for the router's IP and receive responses from different MAC addresses depending on which interface replies, leading to inconsistent ARP caches. This can result in: Packet duplication: The device might receive the same packet on multiple interfaces (if connected to the same switch fabric). Asymmetric routing: Inbound traffic arrives on one interface, but outbound returns via another, confusing stateful firewalls or causing session drops. ARP storms or cache poisoning: The device could inadvertently respond to ARPs on the "wrong" interface, leading to loops or blackholing traffic. Consequence: Unpredictable connectivity, intermittent failures, or even network outages. Debugging becomes a nightmare because traffic paths aren't deterministic. 3. Introduces Routing Loops and Inefficiency Routing protocols (e.g., OSPF, BGP) assume interfaces connect to distinct networks. Multiple interfaces in the same subnet could advertise the same prefix multiple times, creating redundant routes or loops in the routing table. The device might attempt to route traffic "internally" between its own interfaces (hairpinning), even though they're in the same subnet, wasting resources and increasing latency. If the interfaces are connected to the same physical switch, it could create an unintended L2 loop unless Spanning Tree Protocol (STP) is enabled—but routers/firewalls often don't participate in STP, leading to broadcast storms. Consequence: Reduced performance, higher resource utilization (CPU/memory), and potential for network instability. In high-traffic environments, this scales poorly. 4. Security and Policy Enforcement Risks Firewalls rely on interface-based zones or contexts to apply security policies (e.g., allow/deny rules). If multiple interfaces are in the same subnet, policies might not apply consistently, as traffic could ingress/egress unpredictably. It exposes the device to risks like spoofing attacks or unauthorized bridging between ports, potentially allowing lateral movement in a compromised network. In compliance-heavy environments (e.g., PCI DSS, HIPAA), this setup complicates audits and violates "least privilege" principles by blurring zone boundaries. Consequence: Weakened security posture, policy bypasses, and increased attack surface. For instance, a vulnerability on one interface could affect the entire subnet without clear isolation. 5. Operational and Maintenance Challenges Troubleshooting is harder: Logs and monitoring tools (e.g., interface stats, packet captures) become ambiguous when traffic spans multiple interfaces in the same subnet. Scalability issues: Adding redundancy (e.g., failover) is better handled with protocols like VRRP/HSRP (virtual IPs) or link aggregation (LACP) rather than multiple IPs in the same subnet. Vendor-specific limitations: Many routers/firewalls (e.g., Cisco, Palo Alto) explicitly discourage or prevent this configuration via validation checks, as it doesn't align with standard L3 designs. Consequence: Higher administrative overhead, error-prone configurations, and difficulty integrating with automation tools like Ansible or Terraform. Alternatives and Best Practices Instead of this setup: Use subinterface or VLAN tagging (e.g., 802.1Q) on a single physical interface to create logical separation for different subnets. For redundancy, implement high-availability protocols like VRRP (shares a virtual IP across devices) or EtherChannel/bonding for link aggregation. If load balancing or multi-homing is needed, connect interfaces to different subnets or use BGP for proper route advertisement. In firewalls, define clear security zones per interface/subnet to maintain policy integrity. This practice isn't outright "impossible" in all cases (some devices allow it with tweaks), but it's avoided because it contradicts the foundational goals of routing and security—efficiency, predictability, and isolation. If you're dealing with a specific scenario (e.g., lab testing or legacy hardware), there might be workarounds, but for production networks, redesigning for proper segmentation is recommended.

@netblues No, DCO is not enabled.

@SteveITS Installing the Realtek mod from this repo fixed the problem (at least for now): https://pkg01-atx.netgate.com/packages/pfSense_master_amd64-pfSense_devel/All/realtek-re-kmod-1101.00.1600007.pkg PfSense 25.11 and 25.11.1 seem to include V1100 of the package, which does appear to have a DHCP6 bug for certain NICs, including mine. Thanks for you assistance, as always.

@Patch OK, sounds like an alternative... However, that would mean that all traffic for a big number of devices has to flow through pfSense to Home Assistant... Well, sounds a bit risky for me... Anyway, I got pfSense running, and I found out that maybe the meter has a default gateway installed, which I didn't know. Will try later... If that's the case everything should work as planned :-)

Alright, well please update back here if you find anything interesting!

@thefixersson btw: I forgot to mention that you should xxx-out your public IP. ifconfig: That looks indeed good, can't see anything wrong. Is the ISP gateway still in the ARP table? And the routing table is also ok? I was just on the phone with the ISP while it was down and they could ping my device They could ping your WAN IP on the pfSense? Unless you have created a firewall rule for it on WAN that's not possible.

@ncat I don't understand the use of gateway groups. Why not use a routing protocol like OSPF to select an active OpenVPN tunnel to send traffic over?

@Bob.Dig Works as expected. Thank you, sir! (And thank you, @cmcdonald!!!)

FreeBSD 14.0-CURRENT #1 RELENG_2_7_0-n255866-686c8d3c1f0 I can see similar issues. Have two WAN interfaces in a gateway group with one on a lower tier. Trigger level is set to member down. Despite this, if I tcpdump both my main WAN and lower tier failover WAN, I see traffic on both while both interfaces are up and reporting no packet loss. Model is https://www.mini-box.com/APU-2E4-System?sc=8&category=2019 AFAIK.

@patient0 Hi and thanks for taking the time to respond. Yes, I have an x550 add in card. This morning I decided to factory reset and still could not get the WAN interface on LAGG0.4090 to get a public IP through DHCP. I had a suspicion that the x550 card, with the same hardware id's as the XG-7100 switch (ix0, ix1 SFP+ ports) was inducing a conflict. I put an older 4 port gigabit nic in it's place and now everything is working as I would expect it to. Fiber worked on this x550 card until I tried to use the built in LAN/WAN ports ETH1, ETH2. There may be another work around but for now I really have no benefit from 2 gigabit synchronous fiber, and plan to just drop it back to the gigabit tier. Again, thanks for pointing out the ix5 DHCPDISCOVER in the log. Looks like the LAGG0.4090 interface never bothered to reach out for an address and I suspect the issue was the x550 nic. Have a great day.

In my instance, monitoring a different IP instead of ISP didn't make a difference. I have disabled monitoring for now, we'll see if it helps.

@MyKroFt said in wan and gateways on different networks,: ip and gatewas had first 3 the same with 4 being different Well if your old IP started with 69 from your ddns info you posted. Seems like they changed the IP range you are connected too is all. As @patient0 pointed out your IP and its gateway are in the same network. 47.5.16.1 - 47.5.31.254 Doesn't really matter what the 2 IPs are, as long as they are in that range they are the same network. Your old gateway most likely answered ping, your new one in this 47 network does not it seems.

@ivo.a.v.tavares yes because the 192.168.4.0/24 is not in DMZ SUBNETS. Also any software firewall in the target needs to allow connections from the other subnet.