• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Firewall Rules gateway settings ignored, when failover gateway group set as default gateway

Scheduled Pinned Locked Moved Routing and Multi WAN
5 Posts 2 Posters 796 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    linkinpio
    last edited by Feb 24, 2021, 12:02 AM

    Hi All,
    Sorry if this is a stupid question but I'm new to this and don't know if this is a bug or is working as per design as I could not found answer anywhere.

    So the scenario is multiple WANs:
    WAN1
    WAN2
    each of them have one GW, both configured as a failover group GW-GROUP. with WAN1 as preferred Tier1 and WAN2 as Tier2.
    To simplify it we have only one rule on LAN which is allow all/any.

    Scenarios:
    Default gateway is set to Automatic and LAN rule GW Default it uses only WAN1 GW which is normal.
    When you set Default gateway to GW-GROUP and LAN rule GW Default - it uses failover group which is logical as uses system default.
    When you set Default gateway to Automatic or GW1 or GW2 and LAN rule GW as GW-GROUP - it uses failover group which is fine and expected that is using the Rule GW setting.

    But when you set Default gateway to GW-GROUP , regardless of the settings on the LAN FW rule GW (GW1,GW2,Default) it still uses the failover group GW-GROUP, and I can't seems to make it use any of the specific GW for that traffic.

    Is this expected? As logically thinking and quoting the documentation which is, only not matched traffic should be using default gateway settings it should not behave like this and should use Rule GW settings.
    Or maybe I am interpreting this wrong and this is expected.
    I appreciate your opinion help.

    BTW this is on the latest 2.5.0 release

    1 Reply Last reply Reply Quote 0
    • A
      Alefe
      last edited by Feb 24, 2021, 6:40 PM

      this works yes tested in 2.5, I have this same environment mentioned in production

      L 1 Reply Last reply Feb 24, 2021, 9:18 PM Reply Quote 0
      • L
        linkinpio @Alefe
        last edited by Feb 24, 2021, 9:18 PM

        @alefe said in Firewall Rules gateway settings ignored, when failover gateway group set as default gateway:

        this works yes tested in 2.5, I have this same environment mentioned in production

        Hi alefe, thanks for replying, but I'm not sure if I get you right, so is this normal that it's behaving as expected, meaning if we set default gateway to gateway group all rules will use that gateway group?
        Or it's something wrong with my setup?

        A 1 Reply Last reply Feb 25, 2021, 3:25 PM Reply Quote 0
        • A
          Alefe @linkinpio
          last edited by Feb 25, 2021, 3:25 PM

          @linkinpio if you use the gw group all the rules used the defined group, however if in the rule point to the specific Gw the traffic will be forwarded to Gw specified in the rule exactly how you want it to work i don't speak english but could remotely try to help you with the settings

          L 1 Reply Last reply Mar 4, 2021, 10:40 PM Reply Quote 0
          • L
            linkinpio @Alefe
            last edited by Mar 4, 2021, 10:40 PM

            @alefe thank you for your offer, but I don't want to waste to much of your time trying to schedule a remote session.
            Let me try explain what is the problem on home lab example:

            We have following gateways config with default gateway set to failover group preferring GW1
            be01e3f0-9d6c-49a0-ad07-52bd239ca1f6-image.png
            d0ab0bb3-ffef-42af-bbd7-678094b0e21b-image.png
            And LAN rules are set to use only GW1 172.16.0.1/24 only, do not use failover.
            1d84f43e-ca38-4e1b-bc89-272b36ec45dd-image.png
            and when you have GW1 down
            40b81554-6f93-42b5-936b-a27aa3a2be3b-image.png
            FW makes a failover to WAN2 regardless of the rules setting to use only GW1
            7e980426-2fb3-4609-85a4-c77e96dd657c-image.png

            Only if I set default GW to something different than GW group like automatic or ether GW
            10ea2306-6833-429b-b52e-65a91ea0a868-image.png
            Then the GW settings on FW rules are followed/respected:
            dd811aca-a9ee-412d-8d42-a70493c06ffe-image.png

            Hope I explained my query clearer now.
            And my question is: Is this is expected behaviour?

            Best regards,
            Piotr Marchewka

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received