Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - dayer

Pages: [1]
Hola. Estoy teniendo un problema con Multi-WAN, alta disponibilidad y policy routing que creo que podría ser un bug. No lo quiero repetir aquí, que mi intención no es duplicar el hilo del problema o posible bug. Pero ningún experto/desarrollador me contesta y en las instrucciones de reportar bugs indican que los bugs no confirmados se pongan aquí o en la lista de correo.

En reddit también lo he comentado y al menos me ha contestado una persona con un problema similar, que parece que también considera que algo falla en Pfsense.

¿Algún consejo? ¿Lo intento por la lista de correo?

Hi. Sorry if this message should be in the CARP section. I consider the situation is related with CARP and with Multi WAN also.
pfSense 2.3.4-p1

I've a this scenario:
Code: [Select]

            |---Pfsense1====                    |
            |      |        |---(WAN2)--|       |
            |      |                    |       |
PC --(LAN)--| (Sync)                 GW2     GW1
            |      |                    |       |
            |      |        |---(WAN2)--|       |
            |---Pfsense2====                    |

  • The gateway for PC is the VIP in the LAN.
  • The default gateway for Pfsense is GW2
  • The gateway for the traffic from LAN net is GW1 thank to policy routing:
    • Action: pass
    • Interface: LAN
    • Address Family: IPv4
    • Protocol: Any
    • Source: LAN net
    • Destination: ! LAN net
    • Gateway: GW1
  • NAT, Outbound settings:
    • In WAN1, from LAN net, to any: WAN1 VIP address
    • In WAN2, from LAN net, to any: WAN2 VIP address

With this scenario all traffic from PC to outside goes by GW1 correctly. However, if I'm doing ping from PC to an Internet address with Pfsense1 as master and I disable CARP temporarily in Pfsense1, now Pfsense2 is the new master and the ping is broken. In case of a TCP connection, as SSH, the result is the same.
I've been monitoring the traffic with tcpdump and I've realised Pfsense2 is trying to send this traffic by GW2 and using the WAN1 VIP address even, and not by GW1.
In case I redo the ping, or close an reopen de SSH connection, the new traffic goes by GW1, all right. But I can't find the reason why the current traffic is forwarded by the default gateway system (GW2) instead of follow the policy routing (only GW1).


Pages: [1]