Firewall with gateway set seems to be ignore.

webstaff

I've had setup for a while a rule to send all pbx traffic over a secondary connection with a static IP setup on a firewall rule.

But for some reason we are seeing traffic ignoring this rule and just go out on the main WAN connection.
I've check for any floating rules or anything that might be allowing this but there isn't any floating rules or anything else that I can see and this is the number two lan rule just the auto created anti lockout rule above it.

In what scenarios would that rule be ignored?
The rule uses a destination alias made up of 2 IP's and two DNS names so nothing complicated.

I don't remember this being a problem before but since we have upgraded from 2.4.5 we have been getting issues with SIP traffic and random high latency (goes from 30ms to 120ms) and just drops the connection randomly over a number of phones. While trying to track down that issue we have also found this issue and I'm wondering if the two could be related in any way.

This current issue with firewall rules I didn't notice with 2.5.1 but seems to have creeped in with 2.5.2.

Wan 1 is a Virgin media UK DHCP WAN
Wan 2 is a PPPOE via Plusnet (BT using a HG612 3b)

Not sure best way to proceed.

Best Regards
Dave

viragomann

@webstaff said in Firewall with gateway set seems to be ignore.:

In what scenarios would that rule be ignored?

If the respective gateway is determined as offline by dpinger.
So check Status > Gateways for its proper function.

webstaff

@viragomann

Interesting. didn't realise that was the default behaviour surprised I've never come across that before.
But looks like that's the instance of the gateway down.

Aug 1 12:37:36 dpinger 57979 send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr x.x.x.x identifier "VMWAN_DHCP "
Aug 1 12:37:37 dpinger 64609 send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr x.x.x.x identifier "VMWAN_DHCP "
Aug 1 12:37:49 dpinger 30133 send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 1.1.1.1 bind_addr x.x.x.x identifier "WANPLUSDSL_PPPOE "
Aug 1 12:37:49 dpinger 31509 send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr x.x.x.x identifier "VMWAN_DHCP "

Which was when I was upgrading from 2.5.1 to 2.5.2.
So I will chalk it up to that for now while we investigate the original issue of these SIP phones suddenly getting an extra 100ms round trip randomly and random disconnects. Something very funky happening here since we left 2.4.5 might just nip over with a new pfsense box and replace it.

Regards
Dave

viragomann

@webstaff
The question is, if your WAN really is going down or if only the monitoring IP does not respond to ping.
However, since both WANs with different monitoring IPs are effected, I assume there is something odd with your connection or with pfSense.

Possilby it helps to check System > Advanced > Miscellaneous > Skip rules when gateway is down to avoid that the policy routing rule is omitted when the gateway monitoring is failing.