2.2.1 - "Mark Gateway as Down" option not working as expected?
-
Hi quick question for y'all
I see there is a new option in 2.2.x under Routing > Gateways to "Mark Gateway as Down"
This seems to be a very handy option for testing purposes etc.But when I tested it yesterday it did not seem to actually do what I expected. I had a 1LAN / 2WAN setup with a single "failover route" with WAN1 as Tier1 and WAN2 as Tier2 and the default LAN->WAN firewall rule set to explicitly use this failover policy gateway.
When I clicked the "Mark Gateway as Down" checkbox and saved/apply it did not actually force the WAN1 gateway offline. Still showed up as "online" in the Gateways widget and ipchicken.com reported that our traffic was still sourcing from the WAN1 interface.
Am I misunderstanding what this option is supposed to do? Does it not work for policy based routing / gateway groups?
Thanks :)
-
Policy routing forces stuff out the specified gateway "regardless".
After this little enhancement, the policy route will not be made if the gateway is force_down:
https://github.com/pfsense/pfsense/commit/a46212734aa36f346b12afa88a61fcf929f083c1
That is the URL of the commit for 2.2-RELENG branch - you should be able to make that change, or it will appear in 2.2.2 when that happens.
With that change, you should be able to "Mark Gateway as Down" and then the rule will change to just passing the traffic without any gateway (so the traffic will start flowing out the default gateway).
You can also set skip_rules_gw_down and then the rule will be completely left out when the gateway is marked down. If you have no other later rule to pass the traffic it would then be blocked, or do whatever the later rule did (e.g. you might have another rule that explicitly passes the traffic to some other gateway or…) -
Thanks Phil
So if I understand correctly, after the 2.2.2 release with your commit, all I would have to do is make sure the "Enable default gateway switching" option is enabled right? Otherwise the rule with the down gateway would be skipped and potentially traffic would be routed to the default gateway which could have been the "down" one…. -
Sometimes people actually want the traffic blocked if the gateway is down (e.g. they have a VPN uplink and do not want traffic to go anywhere (on the unencrypted WAN…) when the VPN is down) so it all depends on your requirements.
If you want traffic to fail over to another WAN, then you are better off making a gateway group containing the required gateways with required tier1/2... selected. Then use the gateway group in your rules.
Default gateway switching does work work for ordinary pfSense configurations that have 2 ordinary WANs - in that case there is ambiguity about what to do when the default gateway is down.
I don't think that the "Mark Gateway as Down" setting is implemented in all places in the code! I suspect that if you have Default Gateway Switching enabled and then set "Mark Gateway as Down" on your default gateway, it probably won't switch the default gateway - but that would be good to try...
