Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two firewall accessing each other when gateway is down

    Scheduled Pinned Locked Moved
    Routing and Multi WAN
    3
    23
    208
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Farh @viragomann
      last edited by Farh

      @viragomann if I'm getting correct you mean choosing a gateway on firewall > rules.
      In my case every rule gateway on both LAN and WAN is set to *

      1 Reply Last reply Reply Quote 0
      • F
        Farh
        last edited by Farh

        First of all i want to thanks everyone reply to this topic and help me find the problem
        I do the following to resolve my problem. Maybe somebody else face this problem and may it helps:
        1- first i check the ARP table on both firewall and discover none of them have each other MAC addresses. It's so strange for me because i connected to them with https and http but pinging other firewall inside each other even without response that because of firewall rule added it to ARP table.
        2- step one doesn't resolve the problem but i believe it was required. Secondly i try many thing s that doesn't work. After several hours of try and error i discovered that base on MAC addresses pfsense send packages directly to opnsense but opnsense reply through defaut gateway to pfsense. After searching on internet i found this link:
        https://forum.opnsense.org/index.php?topic=5615.0
        Some of opnsense guys says enabling "disable reply-to" option in opensense may resolve the problem.
        3- surprisingly enabling " disable reply-to " resolve the problem.
        I don't disconnecting the internet yet but i believe problem is resolved.
        I'm glad if anyone can explain why this option worked ? Because I'm confused a little bit.
        Thanks

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @Farh
          last edited by

          @Farh
          Disabling reply-to on the accessed node - yeah, this could be a reason.
          When enabled, replies are directed to the gateway, which is stated in the interface settings.

          Disabling reply-to could lead into issues with multi-WAN setup, however.
          To avoid this, you can add pass rules to the top of the WAN rule set only for the source of the WAN subnet and disable reply-to in the advanced options.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post