Multi-WAN with Fallback: Incoming connection routing issue

  • Summary: Packets going out wrong WAN


    • GW1: IP:, Gateway, Marked as default GW

    • GW3: IP:, Gateway


    • Servers:

    • VoIP:

    Routing: Two groups implementing fallback

    • preferGW1: GW1 is Tier 1 and GW3 is Tier 2

    • preferGW3: GW3 is Tier 1 and GW1 is Tier 2

    LAN Firewall Rules

    • LAN Servers: gateway is preferGW1

    • LAN VoIP: gateway is preferGW3

    Manual Outbound NAT Rules:

    • Interface GW1: Source any, other fields *

    • Interface GW3: Source any, other fields *

    What works:

    • All connections initiated behind by LAN clients work correctly and select correct WAN port depending upon traffic source (e.g., VoIP or data or link failure fallback).

    • All inbound HTTP and SSH connections to pfSense services when GW1 IP is used.  I.E., "ssh" from an external IP.

    What fails:
    All incoming HTTP and SSH connections to pfSense services when GW3 IP is used.  I.E., "ssh" from an external IP works.

    • Packet arrives on GW3 with source IP w.x.y.z, destination IP

    • Response packet departs on GW1 with source IP, destination IP w.x.y.z.  TCPDUMP at w.x.y.z shows the packet is arriving.

    Curiously, ping requests from w.x.y.z to GW1 and GW3 work.

    I tried opening all ports at w.x.y.z and the TCP connection is still not established.

    Is it possible to force a connection that is established on say GW3 to go out on GW3 irrespective of LAN Firewall GW settings?

Log in to reply