Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Documentation: this strange?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 2 Posters 776 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mr. Jingles
      last edited by

      https://doc.pfsense.org/index.php/Multi-WAN

      On Firewall > Rules, visit the tab for the internal interface to be used with the gateway group,  either edit the existing pass rules and add the gateway setting, choosing the desired gateway, or add a new rule to match only certain traffic to direct into the gateway group. Remember that rules are processed from the top down, and once a rule is matched, processing stops

      And right below it:

      Policy Route Negation When a firewall rule directs traffic into the gateway, it bypasses the routing table on the firewall. Policy route negation is just a rule that passes traffic to other local or VPN-connected networks that does not have a gateway set. By not setting a gateway on that rule it will bypass the gateway group and use the routing table on the firewall. These rules should be at the top of the list – or at least above any rules using gateways

      So a non-specific rule should be on top, after which the processing stops, and the more specific rules - that use a GW-group - are skipped all together.

      Makes sense ( ;D ;D ;D ).

      6 and a half billion people know that they are stupid, agressive, lower life forms.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Not sure I follow what you're saying but the documentation is saying:

        • Put policy route negation rules at the TOP of the list, these will have local/vpn destinations and NO gateway set. These are not "general" or "non-specific", they are there to ensure your local/VPN traffic does not exit a WAN.

        • Put catchall/general rules at the bottom with a gateway (group) set so traffic can failover or do load balancing.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.