Group gateway confused

tanniit

Hi,
I have 2 WAN, WAN1 and WAN2, WAN1 gateway is 172.17.0.254 and WAN2 gateway is 172.16.0.254

I created a group, "GWalt", as WAN1 (Tier1) and WAN2(Tier2). I assigned an IP of a client to "GWalt" in firewall rule and turned
on the log.

What I noticed is the log show its going through "GWalt" and gateway IP is 172.17.0.254, that is correct.

But when I tried on the same client, I do "tracert yahoo" it shows "172.16.0.254", kind of funny which path it follows?

Thanks.

AIMS-Informatique

Weird you're using private IP range for WAN purpose… NATed-NAT on WAN is tricky!

Here are the defined RFC PRIVATE IP ranges :
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

But you're problem is not here...

What's the GW monitor adresses ?
Does your gateways responds to IMCP requests ?
Is you're rule on the top of the list (should be) ?

tanniit

Yes I can ping from from client.
May be the attached network diagram helps.

![Screen Shot 08-15-14 at 07.29 AM.PNG](/public/imported_attachments/1/Screen Shot 08-15-14 at 07.29 AM.PNG)
![Screen Shot 08-15-14 at 07.29 AM.PNG_thumb](/public/imported_attachments/1/Screen Shot 08-15-14 at 07.29 AM.PNG_thumb)

AIMS-Informatique

1 - check you're specific client firewall rule position in the list : should be first.
2 - Are all you're GW members "Online" : Status->Gateways ? Are the RTT and Loss parameters OK ?
3 - Which GW in "Routing" section, is set as default ? can you send us the configuration of you're GW and GW Groups ?
4 - What is you're client DHCP (or static) configuration ? The DNS and GW should be 192.168.1.1 (you're pf's LAN Adress).
5 - You should'nt have any Route configured in you're PF.

If you try consecutives tracert from client do you see the trafic going through WAN1 and then WAN2 ? or only WAN

tanniit

1. yes it is right on top - see attached file
2. yes they r all online - see attached ping return
3. routing default set to 172.16.0.254 - see attached GW config
4. yes, I do have a DHCP setup but specific client with fixed IP under static IP mapping in LAN
yes, gateway is 192.168.1.1, see attached file
5. No, no other route…blank

I have chanced some of the naming, WAN1=>WAN, WAN2=>WAN1 and "GWalt" => "GrpGWStaff"
but the IP remain unchanged.

I also attached a traceroute and log from the System Log.

![Screen Shot 08-23-14 at 03.28 PM.PNG](/public/imported_attachments/1/Screen Shot 08-23-14 at 03.28 PM.PNG)
![Screen Shot 08-23-14 at 03.28 PM.PNG_thumb](/public/imported_attachments/1/Screen Shot 08-23-14 at 03.28 PM.PNG_thumb)
![Screen Shot 08-23-14 at 03.19 PM.PNG](/public/imported_attachments/1/Screen Shot 08-23-14 at 03.19 PM.PNG)
![Screen Shot 08-23-14 at 03.19 PM.PNG_thumb](/public/imported_attachments/1/Screen Shot 08-23-14 at 03.19 PM.PNG_thumb)
![Screen Shot 08-23-14 at 03.13 PM.PNG](/public/imported_attachments/1/Screen Shot 08-23-14 at 03.13 PM.PNG)
![Screen Shot 08-23-14 at 03.13 PM.PNG_thumb](/public/imported_attachments/1/Screen Shot 08-23-14 at 03.13 PM.PNG_thumb)
![Screen Shot 08-23-14 at 03.11 PM.PNG](/public/imported_attachments/1/Screen Shot 08-23-14 at 03.11 PM.PNG)
![Screen Shot 08-23-14 at 03.11 PM.PNG_thumb](/public/imported_attachments/1/Screen Shot 08-23-14 at 03.11 PM.PNG_thumb)
![Screen Shot 08-23-14 at 03.04 PM.PNG](/public/imported_attachments/1/Screen Shot 08-23-14 at 03.04 PM.PNG)
![Screen Shot 08-23-14 at 03.04 PM.PNG_thumb](/public/imported_attachments/1/Screen Shot 08-23-14 at 03.04 PM.PNG_thumb)
![Screen Shot 08-23-14 at 03.03 PM.PNG](/public/imported_attachments/1/Screen Shot 08-23-14 at 03.03 PM.PNG)
![Screen Shot 08-23-14 at 03.03 PM.PNG_thumb](/public/imported_attachments/1/Screen Shot 08-23-14 at 03.03 PM.PNG_thumb)
![Screen Shot 08-23-14 at 02.37 PM.PNG](/public/imported_attachments/1/Screen Shot 08-23-14 at 02.37 PM.PNG)
![Screen Shot 08-23-14 at 02.37 PM.PNG_thumb](/public/imported_attachments/1/Screen Shot 08-23-14 at 02.37 PM.PNG_thumb)

AIMS-Informatique

Got It !

Tiers 1 is 172.17.0.254
Tiers 2 is 172.16.0.254
And your PF default's GW is your Tiers 2 (172.16.0.254).

In your rule, you specify the kind on trafic that should be filtered : in your case "TCP" only. So it won't apply to any ICMP traffic (a trace route uses ICMP). But it will for HTTP trafic though.

So, because you don't specify ICMP kind of trafic, your default routing policy aplly : Go through the default PF's GW.

Here is your answer.