Firewall Rules gateway settings ignored, when failover gateway group set as default gateway

linkinpio · Feb 24, 2021, 12:02 AM

Hi All,
Sorry if this is a stupid question but I'm new to this and don't know if this is a bug or is working as per design as I could not found answer anywhere.

So the scenario is multiple WANs:
WAN1
WAN2
each of them have one GW, both configured as a failover group GW-GROUP. with WAN1 as preferred Tier1 and WAN2 as Tier2.
To simplify it we have only one rule on LAN which is allow all/any.

Scenarios:
Default gateway is set to Automatic and LAN rule GW Default it uses only WAN1 GW which is normal.
When you set Default gateway to GW-GROUP and LAN rule GW Default - it uses failover group which is logical as uses system default.
When you set Default gateway to Automatic or GW1 or GW2 and LAN rule GW as GW-GROUP - it uses failover group which is fine and expected that is using the Rule GW setting.

But when you set Default gateway to GW-GROUP , regardless of the settings on the LAN FW rule GW (GW1,GW2,Default) it still uses the failover group GW-GROUP, and I can't seems to make it use any of the specific GW for that traffic.

Is this expected? As logically thinking and quoting the documentation which is, only not matched traffic should be using default gateway settings it should not behave like this and should use Rule GW settings.
Or maybe I am interpreting this wrong and this is expected.
I appreciate your opinion help.

BTW this is on the latest 2.5.0 release

Alefe · Feb 24, 2021, 6:40 PM

this works yes tested in 2.5, I have this same environment mentioned in production

linkinpio · Feb 24, 2021, 9:18 PM

@alefe said in Firewall Rules gateway settings ignored, when failover gateway group set as default gateway:

this works yes tested in 2.5, I have this same environment mentioned in production

Hi alefe, thanks for replying, but I'm not sure if I get you right, so is this normal that it's behaving as expected, meaning if we set default gateway to gateway group all rules will use that gateway group?
Or it's something wrong with my setup?

Alefe · Feb 25, 2021, 3:25 PM

@linkinpio if you use the gw group all the rules used the defined group, however if in the rule point to the specific Gw the traffic will be forwarded to Gw specified in the rule exactly how you want it to work i don't speak english but could remotely try to help you with the settings

linkinpio · Mar 4, 2021, 10:40 PM

@alefe thank you for your offer, but I don't want to waste to much of your time trying to schedule a remote session.
Let me try explain what is the problem on home lab example:

We have following gateways config with default gateway set to failover group preferring GW1

And LAN rules are set to use only GW1 172.16.0.1/24 only, do not use failover.

and when you have GW1 down

FW makes a failover to WAN2 regardless of the rules setting to use only GW1

Only if I set default GW to something different than GW group like automatic or ether GW

Then the GW settings on FW rules are followed/respected:

Hope I explained my query clearer now.
And my question is: Is this is expected behaviour?

Best regards,
Piotr Marchewka