Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't access admin on WAN2 unless it's the gateway

    Scheduled Pinned Locked Moved Routing and Multi WAN
    7 Posts 3 Posters 707 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      Troutpocket
      last edited by

      We have a multi-WAN setup with two ISPs configured in a failover group. WAN1 is our primary and WAN2 is the backup. Fail-over works great! However, the issue is that, despite having the appropriate rules on each interface, I cannot access the admin interface from WAN2 while it isn't the primary gateway. I have a single floating rule for both interfaces which works to allow access when said interface is the primary gateway.

      5430557c-43e6-43b9-9fe9-dfd10de6f831-image.png

      When Comcast is the primary gateway I can access the admin ports via Comcast's IPs. When Lumen is the primary gateways I can access it via Lumen's IP address. But I can't access Comcast IPs when Lumen is the primary gateway and vice versa. It's essential that I have access over both links for remote maintenance.

      For troubleshooting I created individual rules under each interface with the same outcome. I even explicitly specified the gateway to use for each rule. No dice. In all instances I tcpdumped the interface and see my external packets arrive but no response is sent from the firewall.

      I had a similar issue with here where it appears that asymmetric routing was the culprit.

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB Offline
        Bob.Dig LAYER 8 @Troutpocket
        last edited by

        @Troutpocket said in Can't access admin on WAN2 unless it's the gateway:

        I created individual rules under each interface with the same outcome. I even explicitly specified the gateway to use for each rule.

        Did you disable the floating rule beforehand? And I wouldn't set a gateway there.

        T 1 Reply Last reply Reply Quote 0
        • T Offline
          Troutpocket @Bob.Dig
          last edited by

          @Bob-Dig Yes, the floating rule was deleted. Setting the gateway was just an act of desperation.

          1 Reply Last reply Reply Quote 0
          • M Offline
            Mikedyx
            last edited by

            Classic asymmetric routing problem.
            Try ticking “Disable reply-to” on the WAN2 rule — usually does the trick

            T 1 Reply Last reply Reply Quote 0
            • T Offline
              Troutpocket @Mikedyx
              last edited by

              @Mikedyx Unfortunately that did not resolve the issue. I see the packets arrive with tcpdump, but there's no reply from the firewall. This coax connection is being replaced in a week or two. I'll see if the new fiber works as expected.

              M 1 Reply Last reply Reply Quote 0
              • M Offline
                Mikedyx @Troutpocket
                last edited by

                @Troutpocket Might be worth checking if there are any rules or NAT settings on WAN2 that block access when it’s not the active gateway. Also, could be a policy routing issue — maybe the replies aren’t going out the same way they came in?

                Enabling logging or packet captures on the firewall might give some clues.

                1 Reply Last reply Reply Quote 0
                • T Offline
                  Troutpocket
                  last edited by

                  Finally got the new fiber circuit installed. Everything works normally as expected now. It was some voodoo in the Comcast Coax Cable Modem that was blocking return traffic.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.