Multi-WAN with Fallback: Incoming connection routing issue



  • Summary: Packets going out wrong WAN

    System:
    WANs

    • GW1: IP: 172.16.1.100/24, Gateway 172.16.1.1, Marked as default GW

    • GW3: IP: 172.17.1.200/24, Gateway 172.17.1.1

    LANs

    • Servers: 10.1.0.0/8

    • VoIP: 10.2.0.0/8

    Routing: Two groups implementing fallback

    • preferGW1: GW1 is Tier 1 and GW3 is Tier 2

    • preferGW3: GW3 is Tier 1 and GW1 is Tier 2

    LAN Firewall Rules

    • LAN Servers: gateway is preferGW1

    • LAN VoIP: gateway is preferGW3

    Manual Outbound NAT Rules:

    • Interface GW1: Source any, other fields *

    • Interface GW3: Source any, other fields *

    What works:

    • All connections initiated behind by LAN clients work correctly and select correct WAN port depending upon traffic source (e.g., VoIP or data or link failure fallback).

    • All inbound HTTP and SSH connections to pfSense services when GW1 IP is used.  I.E., "ssh 172.16.1.100" from an external IP.

    What fails:
    All incoming HTTP and SSH connections to pfSense services when GW3 IP is used.  I.E., "ssh 172.17.1.200" from an external IP works.

    • Packet arrives on GW3 with source IP w.x.y.z, destination IP 172.17.1.200

    • Response packet departs on GW1 with source IP 172.17.1.200, destination IP w.x.y.z.  TCPDUMP at w.x.y.z shows the packet is arriving.

    Curiously, ping requests from w.x.y.z to GW1 and GW3 work.

    I tried opening all ports at w.x.y.z and the TCP connection is still not established.

    Is it possible to force a connection that is established on say GW3 to go out on GW3 irrespective of LAN Firewall GW settings?


Locked