Required number of Gateway Groups?



  • I've read multiple tutorials, as well as everything I can find in the official documentation, but I still need clarification.

    The official documentation states "If any gateway on the same tier goes down, it is removed from use and the other gateways on the tier continue to operate normally."

    However, the overwhelming number of How-to's, guides, and even forum posts seem to create multiple Gateway Groups, and then ordered Firewall rules to do Policy Routing:

    Gateway Groups

    • LoadbalanceGWGroup (WAN1 - Tier1 ,WAN2 - Tier1)
    • Failover1GWGroup (WAN1 - Tier1, WAN2 Tier 2)
    • Failover2GWGroup (WAN2 - Tier1, WAN1 Tier 2)

    Firewall Rules

    • Forward LAN net any any via LoadbalanceGWGroup
    • Forward LAN net any any via Failover1GWGroup
    • Forward LAN net any any via Failover2GWGroup

    So the first question I'm trying to answer is this: Assuming that all traffic is to behave the same way, does a single Gateway Group with multiple Gateways at the same Tier perform both Loadbalance and Failover? In the context of my example, Assuming only the first GW Group exists, if WAN2 becomes unavailable will all LAN traffic be routed out WAN1 until WAN2 becomes available, at which point Load Balancing resumes?

    Furthermore, how does this interact with the "Skip rules when gateway is down" setting? The only documentation I can find on this setting says, "Do not create rules when gateway is down. By default, when a rule has a gateway specified and this gateway is down, the rule is created omitting the gateway. This option overrides that behavior by omitting the entire rule instead."

    So assuming I only have one Gateway Group, and one Firewall Policy Routing rule referencing that group, AND WAN1 went down, would this Policy Routing rule be:
    A) Modified to ignore the WAN1GW temporarily until it returns, using WAN1GW in the meantime
    B) Modified to ignore gateway settings completely (default gateway)
    C) IF "Skip rules when gateway is down" is enabled, Skip this rule completely and expect another rule to take over
    D) Or does this setting (Skip rules when Gateway is down) not apply to Gateway GROUPS at all?

    Thanks for any help you can give to clarify this.


  • Rebel Alliance Developer Netgate

    @jgee said in Required number of Gateway Groups?:

    The official documentation states "If any gateway on the same tier goes down, it is removed from use and the other gateways on the tier continue to operate normally."

    However, the overwhelming number of How-to's, guides, and even forum posts seem to create multiple Gateway Groups, and then ordered Firewall rules to do Policy Routing:

    Gateway Groups

    • LoadbalanceGWGroup (WAN1 - Tier1 ,WAN2 - Tier1)
    • Failover1GWGroup (WAN1 - Tier1, WAN2 Tier 2)
    • Failover2GWGroup (WAN2 - Tier1, WAN1 Tier 2)

    That is for convenience. So you can select some traffic to behave in each way that you want. Some people want things to load balance. Some sites or clients may not play well with load balancing and need forced out a specific WAN. Defining all of those gives you the flexibility to choose without having to go back and make them later.

    Firewall Rules

    • Forward LAN net any any via LoadbalanceGWGroup
    • Forward LAN net any any via Failover1GWGroup
    • Forward LAN net any any via Failover2GWGroup

    That specifically would only hit the first rule and never the others. Normally the source on those would be different, like "forward clientA to any via Failover1GWGroup", "forward clientB to any via Failover2GWGroup", and then a catchall to forward anything else via LoadbalanceGWGroup.

    So the first question I'm trying to answer is this: Assuming that all traffic is to behave the same way, does a single Gateway Group with multiple Gateways at the same Tier perform both Loadbalance and Failover? In the context of my example, Assuming only the first GW Group exists, if WAN2 becomes unavailable will all LAN traffic be routed out WAN1 until WAN2 becomes available, at which point Load Balancing resumes?

    Yes.

    Furthermore, how does this interact with the "Skip rules when gateway is down" setting? The only documentation I can find on this setting says, "Do not create rules when gateway is down. By default, when a rule has a gateway specified and this gateway is down, the rule is created omitting the gateway. This option overrides that behavior by omitting the entire rule instead."

    There is no interaction. That only affects rules which specify a gateway directly on the rule, not a group. For example if you wanted clientC to only ever use WAN3, you'd pass from clientC using the WAN3 gateway (not a group), follow that with a rule to reject anything from clientC, and then set the option to skip rules when a gateway is down. Otherwise it acts as though the rule has no gateway so the client would use the default WAN.

    So assuming I only have one Gateway Group, and one Firewall Policy Routing rule referencing that group, AND WAN1 went down, would this Policy Routing rule be:
    A) Modified to ignore the WAN1GW temporarily until it returns, using WAN1GW in the meantime
    B) Modified to ignore gateway settings completely (default gateway)
    C) IF "Skip rules when gateway is down" is enabled, Skip this rule completely and expect another rule to take over
    D) Or does this setting (Skip rules when Gateway is down) not apply to Gateway GROUPS at all?

    A+D



  • Thank you @jimp

    That helps clarify quite a bit. There really isn't much available about the "Skip Rules" setting.

    Based on the documentation, your answers are what I expected, but I wanted to be sure.

    Thanks again,
    Josh