Firewall Rules do not work with NAT unless default gateway is selected



  • Hello all!

    I have 4 Circuits, lets call them gw1, gw2, gw3, gw4
    I have NAT rules for mostly gw1, which is our default gateway (such as 80, 443, etc)
    Some servers need to be on different circuits, so I have created the NAT rules (inbound and outbound to ensure they are using the correct gateway and IP address), and firewall rules on LAN to go out their respective gateway

    Issue:
    Hosts that go out a different gateway (say GW2) than our default one cannot access hosts that are on our default gateway (GW1).
    So
    Webserver1, on GW1 (default), no issues. All hosts using this gateway connect to external IP and FQDN just fine, AND can also connect to Webserver2 with external IP or FQDN just fine
    Webserver2, on GW2, cannot connect to webserver1 with its external IP or FQDN

    I have narrowed it down to Firewall Rules -> LAN -> (Server Rule) -> Advanced options -> Gateway. When I specify a gateway, it does not work. Even if i specify GW1. It ONLY works when it is set to default. When I specify a gateway for Webserver2 (gw2) it is accessible from the outside world fine with IP or FQDN, but not accessible from LAN

    I am baffled, and really need some help figuring this out. I have tried state: sloppy, All flags, everything that I could find on google. Nothing is working



  • If you specify a gateway in a firewall pass rule the rule only permits traffic whose route passes that gateway.
    So obviously the packets from webserver2 are not routed over gw2.
    Presumably you're using NAT reflection to access your external IPs from internal devices.

    So you have to add an additional pass rule which sits above that one with the gateway specified, which allows access to your external IPs and which has gw set to default. Just add all your external IPs you want access to an alias and use this one in that rule as destination.



  • It did not work. Firewall -> LAN. Added rule for all our external IPs as destination, rest is default

    https://imgur.com/Sx3Ocaw



  • when I watch the states of one of the test servers, it looks like this:

    LAN tcp x.x.0.96:45922 -> x.x.0.50:80 (x.x.x.148:80) CLOSED:SYN_SENT 4 / 0 240 B / 0 B

    This shows up multiple times, but it still receives the same error. I am not seeing it go through the gateway anymore though (Instead of LAN it used to say the GW name)