Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't access admin on WAN2 unless it's the gateway

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 3 Posters 398 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Troutpocket
      last edited by

      We have a multi-WAN setup with two ISPs configured in a failover group. WAN1 is our primary and WAN2 is the backup. Fail-over works great! However, the issue is that, despite having the appropriate rules on each interface, I cannot access the admin interface from WAN2 while it isn't the primary gateway. I have a single floating rule for both interfaces which works to allow access when said interface is the primary gateway.

      5430557c-43e6-43b9-9fe9-dfd10de6f831-image.png

      When Comcast is the primary gateway I can access the admin ports via Comcast's IPs. When Lumen is the primary gateways I can access it via Lumen's IP address. But I can't access Comcast IPs when Lumen is the primary gateway and vice versa. It's essential that I have access over both links for remote maintenance.

      For troubleshooting I created individual rules under each interface with the same outcome. I even explicitly specified the gateway to use for each rule. No dice. In all instances I tcpdumped the interface and see my external packets arrive but no response is sent from the firewall.

      I had a similar issue with here where it appears that asymmetric routing was the culprit.

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @Troutpocket
        last edited by

        @Troutpocket said in Can't access admin on WAN2 unless it's the gateway:

        I created individual rules under each interface with the same outcome. I even explicitly specified the gateway to use for each rule.

        Did you disable the floating rule beforehand? And I wouldn't set a gateway there.

        T 1 Reply Last reply Reply Quote 0
        • T
          Troutpocket @Bob.Dig
          last edited by

          @Bob-Dig Yes, the floating rule was deleted. Setting the gateway was just an act of desperation.

          1 Reply Last reply Reply Quote 0
          • M
            Mikedyx
            last edited by

            Classic asymmetric routing problem.
            Try ticking “Disable reply-to” on the WAN2 rule — usually does the trick

            T 1 Reply Last reply Reply Quote 0
            • T
              Troutpocket @Mikedyx
              last edited by

              @Mikedyx Unfortunately that did not resolve the issue. I see the packets arrive with tcpdump, but there's no reply from the firewall. This coax connection is being replaced in a week or two. I'll see if the new fiber works as expected.

              M 1 Reply Last reply Reply Quote 0
              • M
                Mikedyx @Troutpocket
                last edited by

                @Troutpocket Might be worth checking if there are any rules or NAT settings on WAN2 that block access when it’s not the active gateway. Also, could be a policy routing issue — maybe the replies aren’t going out the same way they came in?

                Enabling logging or packet captures on the firewall might give some clues.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.