Connection to one WAN from public internet results in response incorrectly exiting another WAN's interface.
-
Example:
I have two WANs. Each has a firewall rule allowing ICMP. If I ping one WAN Interface IP from the public internet, a packet capture of the second WAN interface will show the response exiting the second WAN with the first WAN's source IP and the second WAN's gateway's MAC address. Of course, the second gateway doesn't route WAN 1's subnet, so it drops the packet.I've run into this issue on 2.4.5, 2.6.0 and now 2.7.0.
I've been using pfSense since 1.2.1 and have deployed it hundreds of times (not exaggerating) so I do consider myself sufficiently experienced.Of course my actual scenario is a bit more complicated:
I have two WANs (from two different ISPs doing cross-connects in my datacenter) that my virtualized pfSense 2.7.0 will forward some ports from Virtual WAN IPs on each WAN to a common server with two LAN IPs, one dedicated to each WAN. Manual outbound NAT associates each LAN IP with it's respective WAN IP. Firewall rules point outbound traffic from the server to the appropriate gateway based on it's source (LAN) IP. (This seems to work fine)
In theory, I should be able to set DNS A/NAPTR/SRV records to point to IPs on both ISPs and have the server function equally both WANs. (I'm hosting both SIP and HTTP/S, if that matters)
In reality, some traffic establishes a connection/state to the server behind NAT via WAN 1 and some non-zero amount of return traffic from that server will exit WAN2's interface with WAN1's NAT IP, destined to WAN2's gateway's MAC.If configs are required, I should be able to sanitize some for posting. Just let me know.
May be related to #11824 and #11805 in bug tracker.