pfSense Support Subscription

Author Topic: RESOLVED [2.4.0.r.20170929.0700] Gateway groups priority changes  (Read 427 times)

0 Members and 1 Guest are viewing this topic.

Offline drzoidberg33

  • Jr. Member
  • **
  • Posts: 51
  • Karma: +1/-0
    • View Profile
RESOLVED [2.4.0.r.20170929.0700] Gateway groups priority changes
« on: September 30, 2017, 06:23:31 am »
I've got a gateway group set as my main gateway and changing the priority of connections doesn't seem to be working currently, after swapping priority 1 to a different connection it continues to route through the old one.

Can somebody see if they can reproduce this?

What my config looks like:





« Last Edit: October 25, 2017, 08:38:56 am by drzoidberg33 »

Offline luckman212

  • Hero Member
  • *****
  • Posts: 725
  • Karma: +58/-0
    • View Profile
    • @luckman212 - github
Your screenshots are not very helpful but I'll offer some general advice. Once states are established via a particular interface/gateway they will persist, even after mucking around with gateway priorities/rules. The length of time will vary depending on protocol and how each application behaves (does it use keep-alives, how often does it transmit data, etc). You can play with overriding these timeouts individually on the System>Advanced>Firewall page, or just change your overall optimization from Normal to Aggressive and see how that works for you. Another thing you can do (somewhat disruptive on a busy network) is to just kill all states after making policy routing changes (Diagnostics>States>Reset).

Offline drzoidberg33

  • Jr. Member
  • **
  • Posts: 51
  • Karma: +1/-0
    • View Profile
Your screenshots are not very helpful but I'll offer some general advice. Once states are established via a particular interface/gateway they will persist, even after mucking around with gateway priorities/rules. The length of time will vary depending on protocol and how each application behaves (does it use keep-alives, how often does it transmit data, etc). You can play with overriding these timeouts individually on the System>Advanced>Firewall page, or just change your overall optimization from Normal to Aggressive and see how that works for you. Another thing you can do (somewhat disruptive on a busy network) is to just kill all states after making policy routing changes (Diagnostics>States>Reset).

Thanks for the response, I actually did try resetting the states before posting the OP - it doesn't help.

I'm pretty confident this always used to work previously as I've made these kinds of changes quite often in the past.

Offline chrcoluk

  • Sr. Member
  • ****
  • Posts: 376
  • Karma: +19/-50
    • View Profile
I have found that connections from the pfsense unit itself, ignore gateway groups, they always use the "default" gateway.

But it works fine for any devices behind pfsense it routes traffic for.

I never got round to submitting a report for this yet.

I never thought of wiping the session data following a gateway change tho as luke suggested, so it may well be that does the trick for the scenario I had.
pfSense 2.4
Qotom Q355G4 or Braswell N3150 with Jetway mini pcie 2x intel i350 lan - 4 gig Kingston 1333 C11 DDR3L
 - 60 gig kingston ssdnow ssd - ISP Sky UK

Online kpa

  • Hero Member
  • *****
  • Posts: 1178
  • Karma: +131/-6
    • View Profile
I have found that connections from the pfsense unit itself, ignore gateway groups, they always use the "default" gateway.

But it works fine for any devices behind pfsense it routes traffic for.

I never got round to submitting a report for this yet.

I never thought of wiping the session data following a gateway change tho as luke suggested, so it may well be that does the trick for the scenario I had.

This should be common knowledge and somewhere in the wiki, PF on FreeBSD can not redirect locally originating connections because the routing decision has already been made at the time the packets hit the packet filter in the outbound queue and the decision can't be changed.

Offline chrcoluk

  • Sr. Member
  • ****
  • Posts: 376
  • Karma: +19/-50
    • View Profile
thanks for that information kpa, I agree it would be handy to have it in the wiki.

The main issue is if you are running the dns queries from pfsense as they originate from pfsense, then it can lead to a dns outage when the gateway changes away from the default.

I see it is mentioned in the wiki, thanks for pointing that out.

quoting from the wiki, this should solve the issue I had.

Quote
DNS Considerations
At least one DNS server should be reachable on each WAN. This can be accomplished by editing the DNS servers under System > General and picking a gateway for each DNS server. Make sure that the DNS server chosen for a given WAN will work there (i.e. it's public or from that ISP). The system's DNS forwarder will query all DNS servers simultaneously, so it should not be affected by a WAN failure.
« Last Edit: October 25, 2017, 12:15:30 am by chrcoluk »
pfSense 2.4
Qotom Q355G4 or Braswell N3150 with Jetway mini pcie 2x intel i350 lan - 4 gig Kingston 1333 C11 DDR3L
 - 60 gig kingston ssdnow ssd - ISP Sky UK

Offline drzoidberg33

  • Jr. Member
  • **
  • Posts: 51
  • Karma: +1/-0
    • View Profile
I recently moved over to a new pfsense appliance and running the 2.4.0 final release - started off with a completely fresh install and reconfigured everything again.

This seems to have fixed my problem as now changing the priority of my connections works perfectly again.

It may have been an issue with my old configuration but I'm really not sure but glad it's working again.