Two Multi WAN firewall rules give different results



  • I have Multi WAN's and i'm trying to allow dual wan instead of just failover.

    Why do the below rules give different results?

    • The first works flawlessly, allowing traffic over the second wan during an outage.

    • The second rule is to force traffic through the gateway (group with two tier 1 connections), however, when activated, causes all websites to be inaccessible except for Google, which is our also the DNS server for both WANs. The source is set to apply to traffic on the interface which is Wireless net.



  • perhaps you should supply more info….

    like what is the exact error you are getting?
    what are your dns servers set at ?

    are you having a dns issue or is this actually a different issue ?



  • @heper:

    perhaps you should supply more info….

    like what is the exact error you are getting?
    what are your dns servers set at ?

    are you having a dns issue or is this actually a different issue ?

    Apologies, I could have supplied better information:

    8.8.8.8 using WAN1 as the gateway
    8.8.8.4 using WAN2 as the gateway

    There are no errors, however, I just noticed that when the second rule is set, we cannot ping external or internal IP's. So there must be a firewall rule blocking something. Our captive portal is set, however, even signed-in users experience the same issue.


  • LAYER 8 Netgate

    Google's second DNS server IP address is 8.8.4.4 not 8.8.8.4.



  • @Derelict:

    Google's second DNS server IP address is 8.8.4.4 not 8.8.8.4.

    Derelict, sorry that was a typo on my part. We are using:

    8.8.8.8
    8.8.4.4
    

  • LAYER 8 Netgate

    All your NAT rules in place for both WANs?



  • @Derelict:

    All your NAT rules in place for both WANs?

    At this time, Automatic outbound NAT rule generation is selected within Outbound NAT. There is nothing in 1:1 or NPT. We do have port forwards, but you can see below that nothing is out of ordinary (as far as I know).


  • LAYER 8 Netgate

    If you change the default gateway to the other WAN without changing the rule does it work?



  • @Derelict:

    If you change the default gateway to the other WAN without changing the rule does it work?

    Same results, we cannot ping anything internally/externally. I even tried modifying the first rule, by just adding the gateway portion in advanced settings but received the same results. The second that the rule is modified to include the gateways, the rule somehow stops all traffic. Btw, I really appreciate your help here because I quickly ran out of ideas.

    Note: I can manually switch gateways and the internet continues to work on each connection as it should, so I know both connections are active.


  • LAYER 8 Netgate

    I don't understand how manually switching gateways and changing the default route are two different things.



  • What I meant is that going to Routing, if I make either connection the default gateway, traffic flows through  whichever as it should. My point was that both connections are definitely working so there is something strange going on.



  • @Derelict:

    I don't understand how manually switching gateways and changing the default route are two different things.

    I would very curious to know if anyone running 2.2.4 is experiencing this issue. Fail-over works flawlessly, however, WAN load balancing is the issue where I force traffic through the Gateway Groups using firewall rules. I'm convinced that this feature simply does not work anywhere. This has worked in the past with 2.0, I remember. The comments of the following blog post kind of confirms it for me http://terraltech.com/multi-wan-load-balancing-with-pfsense/



  • @UNet:

    I'm convinced that this feature simply does not work anywhere. This has worked in the past with 2.0, I remember. The comments of the following blog post kind of confirms it for me http://terraltech.com/multi-wan-load-balancing-with-pfsense/

    Of course it still works. The comments on that post no doubt from Squid users, where it's not hitting those rules at all.

    You need to negate policy routing for LAN to LAN connectivity to work.
    https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

    I'm guessing you're breaking your DNS maybe, if it's on one of the other internal subnets. Troubleshoot the issue, what works and what doesn't? IP connectivity to the Internet (ping 8.8.8.8/8.8.4.4/4.2.2.2)? DNS resolution work?


Log in to reply