Odd issue?

Douglas Haber

I have a Gw group set up for WAN failover on a pfSense device.

When I set LAN to use that gw group, the outbound connetivity works fine. On an egress trace, it goes:

1 - WAN GW
2 - FW IP
3 - Outside our network

when i remove the group

1 - FW IP
2 - WAN GW
3 - Outside

What configuration did I screw up to do this? Its causing some issues internally

cmb

Policy routing forces traffic to the gateway specified without decrementing the TTL. Egress you'll end up with 1 - WAN GW, 2 - Internet/whatever is beyond WAN GW.

When not using a gateway group, the first hop is your FW IP, then WAN GW, then beyond that.

Assuming it matches that description, that's not causing any problems, it's normal.

Douglas Haber

@cmb:

Policy routing forces traffic to the gateway specified without decrementing the TTL. Egress you'll end up with 1 - WAN GW, 2 - Internet/whatever is beyond WAN GW.

When not using a gateway group, the first hop is your FW IP, then WAN GW, then beyond that.

Assuming it matches that description, that's not causing any problems, it's normal.

It's breaking my site-to-site VPN's. Is there another or better way to do it?

dotdash

@Douglas:

It's breaking my site-to-site VPN's. Is there another or better way to do it?

You must have a strange VPN setup, but did you try not policy routing the VPN traffic?

cmb

You need a rule to pass traffic to the VPNs that doesn't policy route, above any matching rules specifying a gateway.