OPNsense Forum
English Forums => General Discussion => Topic started by: laczik on May 04, 2020, 10:57:43 pm
-
I have an IPv6 multi WAN failover setup (see details at the bottom). Outgoing IPv6 connections work fine and the failover operates as expected.
However, hosts on the LAN net can only be pinged from the outside on the currently active interface. My understanding is that when a ping comes in on the "inactive" interface, the response is sent back on the gateway of the active interface - which is incorrect.
What rules / settings do I need so the correct gateway is used for any replies depending on which interface the ping arrived on?
Similarly, what rules / settings do I need if I want to make a server on the LAN net visible from the outside at both of the WAN1 and WAN2 prefixes, regardless of which gateway is active in the gateway group?
Details:
I have two WAN links with routable prefixes, say, 2001:1:1:0::/64 for WAN1 and 2001.2.2.0::/64 for WAN2. I assigned a static site local IP (fdaa:bbbb:cccc:0::1) to the LAN interface and created Firewall > NAT> NPTv6 rules to forward the routable global unicast addresses to the site local unicast addresses.
The router advertisement daemon is running in "Unmanaged" mode and hosts on the LAN net successfully assign addresses from the fdaa:bbbb:cccc:0::/64 prefix range.
I created a failover gateway group GWGR from WAN1_GW and WAN2_GW, and added the LAN firewall rule
in IPv6 "Lan net" * * * GWGR * "Failover gateway group".
and a Floating firewall rule
in first-match IPv6 IPV6-ICMP * * LAN net * * * "Allow ICMP"