Multi-Wan routing issue to standby WAN address



  • Running 2.4.4-RELEASE-p2 (amd64)

    There are two WANs in a Gateway Group: interface WAN is Tier 1 and interface WAN_Failover is Tier 2.

    There is no Load Balancing or Traffic Shaping defined in this box.

    I want to access the pfSense box using either WAN.

    I only want two incoming rules on WAN_Failover interface: allow ICMP Echo Requests and allow HTTPS traffic, both restricted to the WAN_Failover IP4 address.

    In each of these two rules I set the Advanced Option “Gateway” to the WAN_Failover gateway address (the documentation being “Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.”).

    For each of these WAN, I can ping 8.8.8.8 using the Diagnostics page, I can reach each ISP DNS servers, and the monitored IPs in the Gateway Group are always reachable.

    When I ping the WAN_Failover address, the reply goes out the WAN interface with the source address set to the WAN_Failover IP address. This is verified using Packet Capture on the WAN interface and the Firewall log showing the incoming packet on the WAN_Failover interface.

    I understand that the default route is set to the WAN interface and I can verify that: this is the normal condition that I expect.

    However, I do not understand why the return Gateway for these packets is not being honored: I also expect to reach the pfSense box at all times using this IP, regardless of the state of the Gateway Group.

    Can anybody help me understand why this assymetric routing is happening ?


  • Rebel Alliance Developer Netgate

    @SergeCaron said in Multi-Wan routing issue to standby WAN address:

    I only want two incoming rules on WAN_Failover interface: allow ICMP Echo Requests and allow HTTPS traffic, both restricted to the WAN_Failover IP4 address.
    In each of these two rules I set the Advanced Option “Gateway” to the WAN_Failover gateway address (the documentation being “Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.”).

    You do not want to select a gateway for rules on a WAN interface. That does not set a return gateway, it sets up route-to, which is much different. That delivers packets to a gateway without processing them locally first.

    If you setup the WAN interface and its gateway properly (meaning the gateway is defined and selected under Interfaces > WAN_Failover) then any pass rule on that WAN will automatically get the proper reply-to setup to make sure that responses go back to that gateway like you want.



  • @jimp Thank you!

    Works perfectly as you described.

    Regards,