Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules gateway settings ignored, when failover gateway group set as default gateway

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 2 Posters 958 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      linkinpio
      last edited by

      Hi All,
      Sorry if this is a stupid question but I'm new to this and don't know if this is a bug or is working as per design as I could not found answer anywhere.

      So the scenario is multiple WANs:
      WAN1
      WAN2
      each of them have one GW, both configured as a failover group GW-GROUP. with WAN1 as preferred Tier1 and WAN2 as Tier2.
      To simplify it we have only one rule on LAN which is allow all/any.

      Scenarios:
      Default gateway is set to Automatic and LAN rule GW Default it uses only WAN1 GW which is normal.
      When you set Default gateway to GW-GROUP and LAN rule GW Default - it uses failover group which is logical as uses system default.
      When you set Default gateway to Automatic or GW1 or GW2 and LAN rule GW as GW-GROUP - it uses failover group which is fine and expected that is using the Rule GW setting.

      But when you set Default gateway to GW-GROUP , regardless of the settings on the LAN FW rule GW (GW1,GW2,Default) it still uses the failover group GW-GROUP, and I can't seems to make it use any of the specific GW for that traffic.

      Is this expected? As logically thinking and quoting the documentation which is, only not matched traffic should be using default gateway settings it should not behave like this and should use Rule GW settings.
      Or maybe I am interpreting this wrong and this is expected.
      I appreciate your opinion help.

      BTW this is on the latest 2.5.0 release

      1 Reply Last reply Reply Quote 0
      • A Offline
        Alefe
        last edited by

        this works yes tested in 2.5, I have this same environment mentioned in production

        L 1 Reply Last reply Reply Quote 0
        • L Offline
          linkinpio @Alefe
          last edited by

          @alefe said in Firewall Rules gateway settings ignored, when failover gateway group set as default gateway:

          this works yes tested in 2.5, I have this same environment mentioned in production

          Hi alefe, thanks for replying, but I'm not sure if I get you right, so is this normal that it's behaving as expected, meaning if we set default gateway to gateway group all rules will use that gateway group?
          Or it's something wrong with my setup?

          A 1 Reply Last reply Reply Quote 0
          • A Offline
            Alefe @linkinpio
            last edited by

            @linkinpio if you use the gw group all the rules used the defined group, however if in the rule point to the specific Gw the traffic will be forwarded to Gw specified in the rule exactly how you want it to work i don't speak english but could remotely try to help you with the settings

            L 1 Reply Last reply Reply Quote 0
            • L Offline
              linkinpio @Alefe
              last edited by

              @alefe thank you for your offer, but I don't want to waste to much of your time trying to schedule a remote session.
              Let me try explain what is the problem on home lab example:

              We have following gateways config with default gateway set to failover group preferring GW1
              be01e3f0-9d6c-49a0-ad07-52bd239ca1f6-image.png
              d0ab0bb3-ffef-42af-bbd7-678094b0e21b-image.png
              And LAN rules are set to use only GW1 172.16.0.1/24 only, do not use failover.
              1d84f43e-ca38-4e1b-bc89-272b36ec45dd-image.png
              and when you have GW1 down
              40b81554-6f93-42b5-936b-a27aa3a2be3b-image.png
              FW makes a failover to WAN2 regardless of the rules setting to use only GW1
              7e980426-2fb3-4609-85a4-c77e96dd657c-image.png

              Only if I set default GW to something different than GW group like automatic or ether GW
              10ea2306-6833-429b-b52e-65a91ea0a868-image.png
              Then the GW settings on FW rules are followed/respected:
              dd811aca-a9ee-412d-8d42-a70493c06ffe-image.png

              Hope I explained my query clearer now.
              And my question is: Is this is expected behaviour?

              Best regards,
              Piotr Marchewka

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.