Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.2.1 - "Mark Gateway as Down" option not working as expected?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • luckman212L
      luckman212 LAYER 8
      last edited by

      Hi quick question for y'all

      I see there is a new option in 2.2.x under Routing > Gateways to "Mark Gateway as Down"
      This seems to be a very handy option for testing purposes etc.

      But when I tested it yesterday it did not seem to actually do what I expected.  I had a 1LAN / 2WAN setup with a single "failover route" with WAN1 as Tier1 and WAN2 as Tier2 and the default LAN->WAN firewall rule set to explicitly use this failover policy gateway.

      When I clicked the "Mark Gateway as Down" checkbox and saved/apply it did not actually force the WAN1 gateway offline. Still showed up as "online" in the Gateways widget and ipchicken.com reported that our traffic was still sourcing from the WAN1 interface.

      Am I misunderstanding what this option is supposed to do? Does it not work for policy based routing / gateway groups?

      Thanks :)

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Policy routing forces stuff out the specified gateway "regardless".
        After this little enhancement, the policy route will not be made if the gateway is force_down:
        https://github.com/pfsense/pfsense/commit/a46212734aa36f346b12afa88a61fcf929f083c1
        That is the URL of the commit for 2.2-RELENG branch - you should be able to make that change, or it will appear in 2.2.2 when that happens.
        With that change, you should be able to "Mark Gateway as Down" and then the rule will change to just passing the traffic without any gateway (so the traffic will start flowing out the default gateway).
        You can also set skip_rules_gw_down and then the rule will be completely left out when the gateway is marked down. If you have no other later rule to pass the traffic it would then be blocked, or do whatever the later rule did (e.g. you might have another rule that explicitly passes the traffic to some other gateway or…)

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • luckman212L
          luckman212 LAYER 8
          last edited by

          Thanks Phil
          So if I understand correctly, after the 2.2.2 release with your commit, all I would have to do is make sure the "Enable default gateway switching" option is enabled right? Otherwise the rule with the down gateway would be skipped and potentially traffic would be routed to the default gateway which could have been the "down" one….

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            Sometimes people actually want the traffic blocked if the gateway is down (e.g. they have a VPN uplink and do not want traffic to go anywhere (on the unencrypted WAN…) when the VPN is down) so it all depends on your requirements.

            If you want traffic to fail over to another WAN, then you are better off making a gateway group containing the required gateways with required tier1/2... selected. Then use the gateway group in your rules.

            Default gateway switching does work work for ordinary pfSense configurations that have 2 ordinary WANs - in that case there is ambiguity about what to do when the default gateway is down.

            I don't think that the "Mark Gateway as Down" setting is implemented in all places in the code! I suspect that if you have Default Gateway Switching enabled and then set "Mark Gateway as Down" on your default gateway, it probably won't switch the default gateway - but that would be good to try...

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.