For traffic from WAN don't apply route policy firewall rule applied in LAN



  • Hello, I have a question about gateway in firewall rules.

    I have 1 LAN interface and 2 WAN interface.

    WANs are configured with a Group for failover called "MultiWan". When one interfaces is down or has high latency the second should be used.

    I cannot set this MultiWan group as default gateway in pfsense. To use MultiWan group as gateway LAN interface has a firewall "catch all" rule with a specific gw set to "MultiWan" (no static route is used)

    Traffic from LAN to WAN networks use the route policy firewall rule and work fine. But, traffic from WAN to LAN allowed in WAN interfaces rules don't use the route policy firewall rule in LAN interface in order to "konw" how route the packets to WAN network (remeber: no static route is used)

    How can I force traffic from WAN to also apply the route policy firewall rule in LAN interface to use MultiWan group to route packets to WAN networks??



  • Traffic coming into WAN and leaving LAN gets routed back out the WAN where it originated automatically, by the reply-to in the underlying ruleset.



  • we have set up a route selection traffic to use a gateway group. it's works well when the traffic comes from LAN to the WAN, but when the traffic comes from WAN to the LAN to return the WAN does not use this route back, we do not know why.



  • That's because of stateful filtering. The rule that creates the state determines what routing options are taken for the traffic. Connections coming in from the WAN do not match rules or states from the LAN interface and therefor will not use the gateway group set in the LAN rules.



  • So we can't use the gateway group set in LAN rules to route back to WAN a traffic coming in from WAN to LAN. Also we can't set two default gateways, or set two route to same destination (ex, a know WAN network) using different gateways.

    how can we solve our problem?



  • There is no problem to solve, the WAN rules automatically route traffic back out the WAN it came in on. If your WANs are static IP, they must have the gateway chosen under Interfaces>WAN for it to do that.



  • I think you're confusing the use of the gateway groups here. On incoming connections on WAN interfaces there are no gateway groups because they don't make sense there. A connection that comes in via a specific WAN interface has to be replied via the same interface (and the IP address associated with the interface) or very weird things start to happen.


  • Rebel Alliance Global Moderator

    Confused at what your trying to accomplish or fix..

    So clearly you have atleast 2 wan connections.  What is your traffic that is coming in wan to lan as you say?  Is this wan some internal network that your running routing protocols on?  How does someone get to wan 1 or 2??  Does something resolve to an IP.  Are they using IP directly?

    If wan 1 is down, how would this stuff know to use wan 2?  And go to that IP?



  • cmb, kpa: thanks for reply!!  Our problem is traffic incoming on WAN can´t return back to WAN interface. We don´t have default gateway set, either we are not set routes to WANs (our intention was to use the group of gateways defined in firewall rules LAN, we now know that is not possible). We know that the problem is route because we set a route to a gateway of one of our WANs and WAN traffic returns fine. But static routes are not our solution because static routes no permit to use groups of gateways.

    WAN interfaces don't have gateway defined because we want use a gateway group for fail-over purposes.

    Traffic comming on LAN to WANs is fine because use rules set in LAN interface that uses a gateway group.

    PD: cmb according to your last repply we set gateways in WAN interfaces, but traffic comming from WANs continues without returning.



  • johnpoz thanks for reply!!

    We are testing pfsense for use inside our LAN. For us WAN are our users networks and LAN are our server network. It is important both traffic, traffic coming from the LAN to the WAN and the WAN to the LAN.

    We are not using routing protocols in our "WAN". Our user networks (WANs) are reachable from the two gateways. We have DNS to resolve IP of servers and user workstations.

    Our WAN gateways have static IP, our idea is that if one of the gateway is down traffic will use the other. For that we set up a group of gateways and we then configure it in firewall rules on LAN. For traffic from LAN to WAN works but not for traffic from WAN.



  • For better understanding here is attached a diagram of the connection of pfsense




  • What you're asking for is traffic destined to 10.10.10.2 to magically be destined to 10.10.20.2 instead when WAN1 goes down. You can't control that on that system, whatever is sending the traffic in upstream has to send it to the other WAN instead. Usually that's done by switching your DNS so things come in via WAN2 when WAN1 fails, in an Internet scenario. Since this seems like a private network, you control the upstream routing, so you'll have to route things in via WAN2 instead of WAN1 on the upstream router in that case.



  • Traffic is not destined to 10.10.10.2 or 10.10.20.2, traffic is destined to 172.16.10.0/24 for example. We want pfsense have two ways to reach 172.16.10.0/24, one using the gateway 10.10.10.1 and the other through the gateway 10.10.20.1. Both L3-2 and L3-1 has routes to 172.16.10.0/24.

    If both L3 are up pfsense could use either gateways, or use one of the two gateways by default. But if one of the L3 is down the pfsense should use the path of the alive gateway to route packets to the 172.16.10.0/24.

    For traffic coming from Server Networks (traffic incoming to LAN interface) we use a firewall rule in LAN interface to reach 172.16.10.0/24 with a gateway group (this group has 10.10.10.1 and 10.10.20.1) and works great. In this way if a L3 (WAN gateway) falls the traffic will use the other L3 defined in gateway group.

    But for traffic coming from User netwoks (traffic incoming to WAN interfaces) we don´t know how to configure gateways so that if a L3 falls can be used the other.

    Configuring a static route to reach the network 172.16.10.0/24 using the gateway 10.10.10.1 (for example) works, but we don't have fail-over if 10.10.10.1 falls.

    We think a possible solution is set two static routes with different metrics to reach 172.16.10.0/24, one using gateway 10.10.10.1 and other using gateway 10.10.20.1, but pfsense don't allow two static routes to reach a same network. Or maybe set a static route to reach 172.16.10.0/24 using a gateway group, but is not allowed neither.

    PD: Packets incoming to WAN interfaces can reach Server Networks. The problem is the returning packets of those connections, they don´t match firewall rules with gateways group in LAN interface, then they don´t know how to reach Users Networks (see updated diagram).



  • You're missing the point. You can't, at that point in the network, change the routing like that. Your upstream network is routing it in. It won't reach WAN1 when WAN1 is down, the upstream must route it via WAN2 instead. The upstream has to handle that.

    @mablux:

    Traffic is not destined to 10.10.10.2 or 10.10.20.2, traffic is destined to 172.16.10.0/24 for example.

    The routing is destined to either 10.10.10.2 or 10.10.20.2 on the upstream network. The upstream must change its routing sending 172.16.10.0/24 to the appropriate WAN.


  • Rebel Alliance Global Moderator

    ^ exactly… What in the user network determines if goes to L3-1 or L3-2??  This is where you would setup say HSRP between L3-1 and L3-2..



  • cmb:

    My apologies, you are right. I did not explain well my problem and hence the misunderstanding. Traffic from the network user can "use" WAN1 or WAN2 indistinctly. L3-1 and L3-2 (WAN1 and WAN2) are configured with GLBP.

    Reviewing other forum threads I found other problems that the root of the problem is the same: for returning-back traffic is not possible route to a fail-over gateways.
    https://forum.pfsense.org/index.php?topic=111783.0  (WIFI Link between two pfsense - VPN failover)
    https://forum.pfsense.org/index.php?topic=107657.0  (1 WAN route back to 2 redundant LAN)

    We hope that the pfsense team has plans to allow multiple routes to the same network (with different metrics, of course) or allow to use gateways group for returning-back traffic.

    Thank you very much for your response and attention.



  • johnpoz:

    Thanks for reply!!

    L3-1 or L3-2 are GLBP configured, user networks will use indistinctly L3-1 or L3-2 to reach server networks.

    In our network L3-1 and L3-2 are redundant (fail-over), for this reason we want to properly configure pfsense with fail-over WANs (L3-1 and L3-2) for our server networks.


  • Rebel Alliance Global Moderator

    Still don't see how there would be an issue here.  If traffic comes in wan1 it going to go back out wan 1 for the answer.  If your using GLBP and connection from l3-1 to pfsense fails, then no traffic would come in that interface so why would pfsense send a respond out an interface that did not see the traffic?

    Why do you need to set any routes?? is not l3-1 and l3-2 different gateways?  Why are you needing to create routes to this user network at all?  Only place you can go is out l3-1 or l3-2.. Is there some part of this network that you did not show that requires you to create routes that are out your wan interfaces?  Where you can only go to either l3-1 or l3-2, those devices might have to make a routing decision on how to send the traffic to the user network, but why would pfsense have to?



  • @johnpoz:

    If traffic comes in wan1 it going to go back out wan 1 for the answer.

    I do not know why not work, on both WAN interfaces is configured the corresponding gateway(L3). If that were working well for us, we would be very happy… maybe is something wrong configured but I can´t find it.

    @johnpoz:

    If your using GLBP and connection from l3-1 to pfsense fails, then no traffic would come in that interface so why would pfsense send a respond out an interface that did not see the traffic?

    Each L3 can ping the correspondig WAN interface in pfsense and also can ping a server inside server networks.

    @johnpoz:

    Why do you need to set any routes?? is not l3-1 and l3-2 different gateways?  Why are you needing to create routes to this user network at all?

    Yes, L3-1 and L3-2 are different gateways. I used Packet Capture in WAN1 interface when a host in User Network ping to a server in Server Network and I see the  "ICMP echo request" packets, but don´t see the corresponding "ICMP echo reply". The only way we've found to make work it is to set a static route to reach network user through one of the L3 (but is not a real solution for us because for access to networks Servers would not have fail-over L3s)

    @johnpoz:

    Only place you can go is out l3-1 or l3-2.. Is there some part of this network that you did not show that requires you to create routes that are out your wan interfaces?  Where you can only go to either l3-1 or l3-2, those devices might have to make a routing decision on how to send the traffic to the user network, but why would pfsense have to?

    All traffic to reach networks that are not directly connected to pfsense (ie. other networks than WAN1 [L3-1], WAN2 [L3-2], LAN [network server]) we want pfsense send it to "any" of the L3s (as you say early:  "traffic comes in wan1 it going to go back out wan 1 for the answer", That would be fine!!). Both L3s know how to route traffic to the User networks or other networks.

    Thank you very much for your time. We want to use pfsense and will make every effort to try to configure it properly to our needs.

    PD: Packet Capture in LAN interface when a host in User Network ping to a server in Server Network show the "ICMP echo request" packets and corresponding "ICMP echo reply" packets.