Skip rules when gateway is down not working-bug?
-
My pfsense box has been up for months problem free. I did run into a situation today which I do not know how to remedy. Possibly my config is wrong, not sure.
We have 2 WANs set up in a gateway group, basically set up in a "load balance" fashion (both connections used normally).
However, in that setup I ran into issues with httpS and ftp traffic…that type of traffic doesn't like the source IP changing.
So in my setup I have a pair of firewall rules such that httpS and ftp traffic utilizes a specific gateway.
Everything was working great for all this time.
This morning, we lost our second gateway. As a result, we lost httpS and ftp traffic (all other traffic still worked).
In the advanced settings, under miscellaneous I think it is, it specifies that if you have firewall rules that specify a gateway, those rules are supposed to be either re-created ommiting the gateway or skipped entirely (depending on the state of the checkbox) in the event that gateway is marked "down".
I have tried that checkbox both ways and it didn't seem to make any difference.
I'll post more detailed info as needed, but basically my firewall rules look like this:
....
from LAN to "INTERNET" httpS use gateway 2
from LAN to "INTERNET" ftp use gateway 2
from LAN to "INTERNET" ANY traffic use GATEWAY GROUP.So you can see whether the system rewrites my rules that specify a specific gateway OR skips the rules entirely when a gateway is down, the traffic should have still flowed.
Thanks,
-Alan
PS I wonder if this is perhaps related to this bug:
https://redmine.pfsense.org/issues/4566
-EDIT- As a temporary workaround to stop the FLOOD of calls I was receiving about the internet being down, I manually disabled the rules that specify to use a specific gateway until it came back up.
-
Bueller, Bueller, Anyone?
-Alan
-
Still having this issue. I have updated to the latest version.
Maybe I'm describing the problem wrong? I'll try again:
I have a gateway group. I also have firewall rules that precede the gateway group rule that specifies to use a specific gateway for specific traffic. The problem is when that gateway goes down, the rules don't get either omitted, or changed on the fly like they are supposed to.
Another way to look at it is doesn't pfsense have the ability to disable policy based routing when a gateway goes down?
-Alan
-
Sounds like the issue originally was that in bug 4566, which is confirmed fixed in >=2.3.
-
@cmb:
Sounds like the issue originally was that in bug 4566, which is confirmed fixed in >=2.3.
That's what I originally thought, but nope, doesn't appear to be fixed. I just received a txt (its early in the morning) that the "internet is down" at work. I remoted in, checked status, and Gateway 2 is down. Obiously traffic is still trying to be sent out Gateway 2.
So as a temporary fix, I do what I have had to do since the very beginning: Manually disable firewall rules that specify the downed gateway.
-Alan
-
Why not use a gateway group set as failover for https/ftp traffic? There is no reason to target the gateway itself. Then just make sure you are killing states on the down gateway.
-
Why not use a gateway group set as failover for https/ftp traffic? There is no reason to target the gateway itself. Then just make sure you are killing states on the down gateway.
I will see if I can give that a try, but the question I have is can you create a gateway group utilizing interfaces that are ALREADY in another group?
Again my rules are like this:
httpS traffic use gateway 2
ftp traffic use gateway 2
ALL traffic use GATEWAY GROUP (that is already comprised of gateway 1 & gateway 2).My logic when creating these rules is, httpS traffic use gateway 2. FTP traffic use gateway 2, ALL REMAINING TRAFFIC balance between gateway 1 & 2.
Since rules are evaluated top to bottom, this works perfectly, unless I lose gateway 2.
And I would balance httpS and FTP as well, but that type of traffic doesn't like that.
-Alan -
I will see if I can give that a try, but the question I have is can you create a gateway group utilizing interfaces that are ALREADY in another group?
Yes.
-
@cmb:
I will see if I can give that a try, but the question I have is can you create a gateway group utilizing interfaces that are ALREADY in another group?
Yes.
Thank you. I will give this a try when I have a moment. In the meantime, cmb do you have a way I can (re)submit this as NOT fixed, at least in my configuration?
I'm sure my setup is not the most elaborate out there, but its not your typical home/SOHO setup. Its a little more involved that a typical small office setup.
I have a pfsense store bought c2758 with optional 4 port add in LAN card. I have a total of 8 interfaces-WAN1, WAN2, DMZ1, DMZ2, LAN1, LAN2, LAN3, and LAN4. I use a combination of pure routing (from WAN1 to DMZ1), 1:1 NAT (from WAN2 to DMZ2, and NAT (from the WANs to the LANs). LAN4 is for Wifi; since this box provides no wireless itself, I have a string of access points connected to LAN4.
Thanks,
-Alan
-
Just wanted to give my thread a final bump for a couple reasons:
1) Although reported fixed in >2.3, it is NOT…at least not in my configuration
2) A BIG THANK YOU to dotdash-I implemented your solution instead and it works beautifully. VERY MUCH APPRECIATED.
-Alan