Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Odd issue?

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 880 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Douglas Haber
      last edited by

      I have a Gw group set up for WAN failover on a pfSense device.

      When I set LAN to use that gw group, the outbound connetivity works fine. On an egress trace, it goes:

      1 - WAN GW
      2 - FW IP
      3 - Outside our network

      when i remove the group

      1 - FW IP
      2 - WAN GW
      3 - Outside

      What configuration did I screw up to do this? Its causing some issues internally

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Policy routing forces traffic to the gateway specified without decrementing the TTL. Egress you'll end up with 1 - WAN GW, 2 - Internet/whatever is beyond WAN GW.

        When not using a gateway group, the first hop is your FW IP, then WAN GW, then beyond that.

        Assuming it matches that description, that's not causing any problems, it's normal.

        1 Reply Last reply Reply Quote 0
        • D
          Douglas Haber
          last edited by

          @cmb:

          Policy routing forces traffic to the gateway specified without decrementing the TTL. Egress you'll end up with 1 - WAN GW, 2 - Internet/whatever is beyond WAN GW.

          When not using a gateway group, the first hop is your FW IP, then WAN GW, then beyond that.

          Assuming it matches that description, that's not causing any problems, it's normal.

          It's breaking my site-to-site VPN's. Is there another or better way to do it?

          1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash
            last edited by

            @Douglas:

            It's breaking my site-to-site VPN's. Is there another or better way to do it?

            You must have a strange VPN setup, but did you try not policy routing the VPN traffic?

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              You need a rule to pass traffic to the VPNs that doesn't policy route, above any matching rules specifying a gateway.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.