Multi-WAN with Fallback: Incoming connection routing issue
-
Summary: Packets going out wrong WAN
System:
WANs-
GW1: IP: 172.16.1.100/24, Gateway 172.16.1.1, Marked as default GW
-
GW3: IP: 172.17.1.200/24, Gateway 172.17.1.1
LANs
-
Servers: 10.1.0.0/8
-
VoIP: 10.2.0.0/8
Routing: Two groups implementing fallback
-
preferGW1: GW1 is Tier 1 and GW3 is Tier 2
-
preferGW3: GW3 is Tier 1 and GW1 is Tier 2
LAN Firewall Rules
-
LAN Servers: gateway is preferGW1
-
LAN VoIP: gateway is preferGW3
Manual Outbound NAT Rules:
-
Interface GW1: Source any, other fields *
-
Interface GW3: Source any, other fields *
What works:
-
All connections initiated behind by LAN clients work correctly and select correct WAN port depending upon traffic source (e.g., VoIP or data or link failure fallback).
-
All inbound HTTP and SSH connections to pfSense services when GW1 IP is used. I.E., "ssh 172.16.1.100" from an external IP.
What fails:
All incoming HTTP and SSH connections to pfSense services when GW3 IP is used. I.E., "ssh 172.17.1.200" from an external IP works.-
Packet arrives on GW3 with source IP w.x.y.z, destination IP 172.17.1.200
-
Response packet departs on GW1 with source IP 172.17.1.200, destination IP w.x.y.z. TCPDUMP at w.x.y.z shows the packet is arriving.
Curiously, ping requests from w.x.y.z to GW1 and GW3 work.
I tried opening all ports at w.x.y.z and the TCP connection is still not established.
Is it possible to force a connection that is established on say GW3 to go out on GW3 irrespective of LAN Firewall GW settings?
-