Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules do not work with NAT unless default gateway is selected

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 528 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scottys
      last edited by

      Hello all!

      I have 4 Circuits, lets call them gw1, gw2, gw3, gw4
      I have NAT rules for mostly gw1, which is our default gateway (such as 80, 443, etc)
      Some servers need to be on different circuits, so I have created the NAT rules (inbound and outbound to ensure they are using the correct gateway and IP address), and firewall rules on LAN to go out their respective gateway

      Issue:
      Hosts that go out a different gateway (say GW2) than our default one cannot access hosts that are on our default gateway (GW1).
      So
      Webserver1, on GW1 (default), no issues. All hosts using this gateway connect to external IP and FQDN just fine, AND can also connect to Webserver2 with external IP or FQDN just fine
      Webserver2, on GW2, cannot connect to webserver1 with its external IP or FQDN

      I have narrowed it down to Firewall Rules -> LAN -> (Server Rule) -> Advanced options -> Gateway. When I specify a gateway, it does not work. Even if i specify GW1. It ONLY works when it is set to default. When I specify a gateway for Webserver2 (gw2) it is accessible from the outside world fine with IP or FQDN, but not accessible from LAN

      I am baffled, and really need some help figuring this out. I have tried state: sloppy, All flags, everything that I could find on google. Nothing is working

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        If you specify a gateway in a firewall pass rule the rule only permits traffic whose route passes that gateway.
        So obviously the packets from webserver2 are not routed over gw2.
        Presumably you're using NAT reflection to access your external IPs from internal devices.

        So you have to add an additional pass rule which sits above that one with the gateway specified, which allows access to your external IPs and which has gw set to default. Just add all your external IPs you want access to an alias and use this one in that rule as destination.

        1 Reply Last reply Reply Quote 0
        • S
          scottys
          last edited by

          It did not work. Firewall -> LAN. Added rule for all our external IPs as destination, rest is default

          https://imgur.com/Sx3Ocaw

          1 Reply Last reply Reply Quote 0
          • S
            scottys
            last edited by

            when I watch the states of one of the test servers, it looks like this:

            LAN tcp x.x.0.96:45922 -> x.x.0.50:80 (x.x.x.148:80) CLOSED:SYN_SENT 4 / 0 240 B / 0 B

            This shows up multiple times, but it still receives the same error. I am not seeing it go through the gateway anymore though (Instead of LAN it used to say the GW name)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.