Gateway group tier priority not being followed

SeanAC

I have two pfsense routers linked by two wireless links and a Pritunl VPN link. I am using gateway groups for failover. I have set WIFILink2 as the tier 1 member, WIFILink1 as the tier 2 member and Pritunl VPN as tier 3. No matter how I set the tier 1 and tier 2 members, WIFILink1 is always the preferred link. I have deleted the groups on both routers and rebooted both routers. In Firewall Rules the gateway group is set as the gateway for the appropriate subnets on both routers. None of these interfaces are the default gateway.

This used to work and the problem seemed to occur after upgrading pfsense to 2.4.0-RELEASE on both routers. I cannot be sure it is related to the upgrade since I am not checking it regularly. I just noticed the issue the other day after one set of radios that had been dead for months was replaced. There are a couple of static routes on the routers but they point to other subnets. I have also looked via CLI for odd routes and did not see anything significant.

I have looked on the forum and the google machine but could not find any similar problems or solutions. Any thoughts or assistance to resolve this issue would be greatly appreciated.

jimp

Are WIFILink1 and WIFILink2 using different subnets and gateways?

The only way I could see it breaking as you describe is if both gateways were the same, which isn't supported because the behavior is unpredictable, as you see here.

SeanAC

They are using different subnets and gateways. On one router WIFILink1 is 192.168.9.2/29 with a gateway of 192.168.9.1 and WIFILink2 is 192.168.9.10/29 gw 192.168.9.9.

jimp

That should be OK then, assuming there isn't a VIP or something else in the routing table declaring that as a /24 or some other larger subnet that contains both.

Next step would be to post screenshots of your gateways, gateway groups, and LAN rules that show the gateway groups being used.

SeanAC

See down below for screenshots of router1.

So I have done some more testing and have narrowed it down. When using a PC on this router1's LAN, downloading is using WIFILink1 and uploading is using WIFILink2. So I changed the Firewall rules not to use the gateway group but to use only the WIFI2_GW on both routers.
Router1: 0_1550870097055_07a1e25f-edcb-43bc-8c74-1b156950e876-image.png
Router2: 0_1550870864772_71e4ffd4-949d-495b-9292-45bdee09f186-image.png
Some traffic is still using WIFILink1. I am not sure how. See traffic graphs on router1 after I disabled the WIFILink1 interface and then enabled in on router2 with the above rules to use WIFI2_GW and WIFI_GW_2:
0_1550870647694_3d806ef3-a5bc-458e-93ad-9c6940e2d28e-image.png

Maybe I am missing something in my settings or my understanding.

Router1 screenshots:

0_1550790411939_4b984daa-0422-4924-a48c-a5262e12a007-image.png

0_1550790446656_ec6ded53-07eb-4fcd-b0e7-be4665ed1796-image.png

0_1550790756147_b40b524e-5191-470d-a5bf-3d3e9540cda2-image.png

0_1550790794079_2db95bef-d01a-433f-aab2-98f9fd59a9ed-image.png