Documentation: this strange?


    On Firewall > Rules, visit the tab for the internal interface to be used with the gateway group,  either edit the existing pass rules and add the gateway setting, choosing the desired gateway, or add a new rule to match only certain traffic to direct into the gateway group. Remember that rules are processed from the top down, and once a rule is matched, processing stops

    And right below it:

    Policy Route Negation When a firewall rule directs traffic into the gateway, it bypasses the routing table on the firewall. Policy route negation is just a rule that passes traffic to other local or VPN-connected networks that does not have a gateway set. By not setting a gateway on that rule it will bypass the gateway group and use the routing table on the firewall. These rules should be at the top of the list – or at least above any rules using gateways

    So a non-specific rule should be on top, after which the processing stops, and the more specific rules - that use a GW-group - are skipped all together.

    Makes sense ( ;D ;D ;D ).

  • Rebel Alliance Developer Netgate

    Not sure I follow what you're saying but the documentation is saying:

    • Put policy route negation rules at the TOP of the list, these will have local/vpn destinations and NO gateway set. These are not "general" or "non-specific", they are there to ensure your local/VPN traffic does not exit a WAN.

    • Put catchall/general rules at the bottom with a gateway (group) set so traffic can failover or do load balancing.

Log in to reply