Confusion: modify all firewall rules for a new gateway group?
-
First time post here, finally hit an issue I can't seem to Google my way out of.
I have added a second WAN, pfSense sees them as WAN & OPT20. They are both in a gateway group, independently configured DNS etc. Both work fine when set as the default, however 'WAN' is the current default gateway. I am not seeing failover to the second gateway occur properly when testing (physical disconnect for now). Troubleshooting, this is probably a firewall rule issue, which is where I am confused. (*note: I can make failover happen with the Default -> Advanced -> Miscellaneous -> "Default gateway switching" option selected, but I know I should not need to use this if my config was correct).
I have already RTFM that shows how to create a firewall rule for LAN that explicitly calls out the Gateway group I created and allows traffic. However, this is where I'm less confident. Do I create a new firewall rule such as that for each interface? I have dozens of VLANs handling many services and hosts, typically one service per VLAN per interface. Additionally, none of these interfaces have a single 'Allow all' outgoing rule that can be updated to specify the Gateway group. Does that further imply I would need to modify each and every outgoing rule to explicitly call out the Gateway group under Advanced? We're talking about many, many rules. Some of these are user-facing services, some are high traffic lab networks, some are simply wireless access point interfaces. Modifying each rule makes me think I'm missing something, so I finally broke down and wrote this.
Any tips or up to date docs would be great; I'm not thrilled to parse more screenshots from any of the last few releases.
Thanks!
-
You can make a backup of the config and find/replace the rules in your favorite editor.
Also: overcomplicated rulesets can frequently be trimmed down significantly.
-
Thank heper,
I appreciate the response. Can you confirm you mean that each and every firewall rule should in fact be edited? I can use sed or vim find and replace easily, and I have edited and restored the xml config before. How to edit it is not a problem.
I am more concerned with understanding my issue. If a firewall rule allows a gateway of 'any' I don't understand why explicitly setting that to a Gateway group is an improvement.
Yes/No: using dual-WAN and a Gateway group requires every outgoing firewall rule to explicitly approve the named Gateway group before failover will happen as expected.
Thank you again!
-
if you wish to force policy routing, then yes, you need a gateway(group) to be selected in a firewall-rule.
You can go for default gateway switching. but it has some quirks. (too lazy to look them up at this point)
afaik, there is no GUI way to change multiple rules to adjust the policy routing/gateways at once.
-
Okay, I think you clarified it for me.
I believe I encountered at least one of the quirks you are thinking of: without the firewall rule explicitly mentioning the Gateway group it only uses the WAN marked 'default'. Forcing the 'Default gateway switching' was a hacky but effective workaround.
I will update all my outgoing rules to address the new group and report back as 'solved' if it works out.
Thanks again heper, always glad for concise answers :)
-
Solved, it was indeed just a simple tweak. I unchecked the System -> Routing -> Miscellaneous -> Failover default gateway option I had checked, and updated any outgoing firewall rule to explicitly use the advanced settings. Under advanced settings I changed Gateway from default to the name of my Gateway group. Now, outgoing firewall rules have a black sprocket icon next to them to indicate advanced settings which in my case is the Gateway group. Internal traffic rules, any LAN -> LAN for example, do not need this updated setting. Only traffic using a Gateway should be updated to use a Gateway group.
To answer my initial questions explicitly: yes, this has to apply to each firewall rule that allows WAN traffic. If you have an outgoing firewall rule with the Advanced Settings -> Gateway left on 'default' it will NOT allow traffic to leave via the secondary WAN. I had to update my SSH rule and HTTPS rules independently for both to work. This is all clear in retrospect, but this might help someone else in the future to learn from my confusion.
Once again, thanks heper!
