Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi-Wan routing issue to standby WAN address

    Scheduled Pinned Locked Moved Routing and Multi WAN
    multi-wanroutingassymetric
    3 Posts 2 Posters 678 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SergeCaron
      last edited by

      Running 2.4.4-RELEASE-p2 (amd64)

      There are two WANs in a Gateway Group: interface WAN is Tier 1 and interface WAN_Failover is Tier 2.

      There is no Load Balancing or Traffic Shaping defined in this box.

      I want to access the pfSense box using either WAN.

      I only want two incoming rules on WAN_Failover interface: allow ICMP Echo Requests and allow HTTPS traffic, both restricted to the WAN_Failover IP4 address.

      In each of these two rules I set the Advanced Option “Gateway” to the WAN_Failover gateway address (the documentation being “Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.”).

      For each of these WAN, I can ping 8.8.8.8 using the Diagnostics page, I can reach each ISP DNS servers, and the monitored IPs in the Gateway Group are always reachable.

      When I ping the WAN_Failover address, the reply goes out the WAN interface with the source address set to the WAN_Failover IP address. This is verified using Packet Capture on the WAN interface and the Firewall log showing the incoming packet on the WAN_Failover interface.

      I understand that the default route is set to the WAN interface and I can verify that: this is the normal condition that I expect.

      However, I do not understand why the return Gateway for these packets is not being honored: I also expect to reach the pfSense box at all times using this IP, regardless of the state of the Gateway Group.

      Can anybody help me understand why this assymetric routing is happening ?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        @SergeCaron said in Multi-Wan routing issue to standby WAN address:

        I only want two incoming rules on WAN_Failover interface: allow ICMP Echo Requests and allow HTTPS traffic, both restricted to the WAN_Failover IP4 address.
        In each of these two rules I set the Advanced Option “Gateway” to the WAN_Failover gateway address (the documentation being “Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.”).

        You do not want to select a gateway for rules on a WAN interface. That does not set a return gateway, it sets up route-to, which is much different. That delivers packets to a gateway without processing them locally first.

        If you setup the WAN interface and its gateway properly (meaning the gateway is defined and selected under Interfaces > WAN_Failover) then any pass rule on that WAN will automatically get the proper reply-to setup to make sure that responses go back to that gateway like you want.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        S 1 Reply Last reply Reply Quote 1
        • S
          SergeCaron @jimp
          last edited by

          @jimp Thank you!

          Works perfectly as you described.

          Regards,

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.