IPsec Firewall rule doesn't respect gateway choice?

eri--

Its not possible to do that since that has been disabled for preventing problematic scenarios.
I do not understand though why you do not do that on your lan but need to do that on the ipsec interface?

jimp

Ermal - that case is valid that he's describing.

Think of it like this:

Mobile IPsec clients (or a remote site) send 0.0.0.0/0 over IPsec, so they use the tunnel for Internet access. You want them to access the internet over WAN2, and not WAN, so you set a gateway on the IPsec rules.

I can see disabling gateways on WAN rules but not VPN rules, it's fairly commonly used for that scenario by customers as well.

cybercare

@jimp:

Can you show the contents of /tmp/rules.debug?

I know that works for OpenVPN, but I haven't tried it on IPsec myself. I don't see why it wouldn't work though.

Anything specific you want to see? It's a bit long lol or does it not matter sense sounds like Ermal is saying it was broken on purpose :(

I know I have it all setup right though as it worked perfectly fine until I upgraded lol I have since tried to fiddle with it for 15+ hours to get the results of it don't care it's using the main ISP lol

@ermal:

Its not possible to do that since that has been disabled for preventing problematic scenarios.
I do not understand though why you do not do that on your lan but need to do that on the ipsec interface?

What jimp stated is exactly it. I don't want the ipsec internet traffic going out the same WAN as the lan traffic.
Plus if you have two ISP and do it my way you are making it even faster for the remote clients because say they want to upload something to a website. If the VPN tunnel is on ISP1 and internet on ISP1 they in a sense take a double hit because data must be sent/received to them as well as any remote sites they go to and is all happening on the one ISP. If you set the VPN tunnel on one ISP but the internet traffic for it on another you get slightly better performance. It really works great if one ISP has a larger upload too as depending what you're doing and the order you use them in :) but we shall stay on topic here and just stick to the it's broken or seems to be part :)

Thanks in advance you both for any assistance. Doesn't sound like it should be too much of a pain for it to be fixed and if it indeed was broken for a reason maybe add an override with a warning or let us do it but just tell is the cons of doing so as I never had issues using it.

cybercare

@ermal:

Its not possible to do that since that has been disabled for preventing problematic scenarios.
I do not understand though why you do not do that on your lan but need to do that on the ipsec interface?

Is it possible for this ability to be restored given it does have valid use?

Thanks!

eri--

You tried latest snapshot and still did not work?

cybercare

Just tried latest snap from 8am today, still not working.

cybercare

Any updates on this?

cybercare

Is this by chance something that will get fixed?

I am on latest snap from today and still seems broken :(

Thanks for all your hard work btw, 2.1 is turning out wonderful and hopefully it brings more people to using it so more can donate and buy support to help you all out for your sacrifices.

eri--

Normally this should be fixed since the change has been reverted.

cybercare

Any suggestions or anything you want me to do to help check on? It seems to still not work.

I have the outbound nat and GW set on the IPSec but it will only work if I set to the default gateway, not a secondary.

eri--

One try can be to disable negate rules under system advanced and see if that helps.

If not, can you show the rules.debug either anonmized or through private message?

cybercare

Still seems busted, I did finally get to test with the negate disabled but that made no difference.

Any specific part of the rules.debug you are after?

I am running the latest snap shot avail but no joy :(

Thx in advance for your assistance.