interface groups - multi wan
-
"Interface groups are not effective with Multi-WAN because group rules cannot properly handle reply-to. Due to that deficiency, traffic matching a group rule on a WAN that does not have the default gateway will go back out the WAN with the default gateway, and not through the interface which it entered." -
does this mean interface groups are not effective on wan interfaces when multiple wans exist, or they are not effective on any interface i.e. lan groups when multple wans exist?
-
@gwaitsi
The reply-to tag is added to a connection by the firewall rule which allows the incoming traffic. This requires that the interface, which the rule is applied, is unique and that it has a gateway assigned.
Interface group rules don't have a unique interface naturally. Hence pfSense does not add the reply-to to connections which are allowed by such rules.
The same applies to floating rules.However, you can use interface groups for internal interfaces to share rules though, even with a multi WAN setup.
-
@viragomann so in simply english, if i have 2 wan connected and 2 lans, i can use an interface group for the 2 LANs, but not the 2 WANs, correct ?
-
@gwaitsi
Correct. Reply-to is only needed on WANs (interfaces with a gateway assigned to it).