DNAT auto firewall [Register Rule/Pass] fails in multi-gw setups + how to fix it

[superpower]

On deployments with multiple gateways, opting for automatic firewall rule creation via "Register rule" or "Pass" creates rules that do not include the advanced mode "Reply-to:" configured, so if a query comes via GW1 it will probably return via GW0 and be dropped.
Solution is to set to manual and enter your desired reply-to gateway in the dropdown.
Hope this helps

[franco]

Can you raise a ticket on GitHub about this? This may require a bit of discussion.


Thanks,
Franco

[superpower]

of course, but help me a bit, which repo is most relevant for this issue ? core or src ?

[franco]

https://github.com/opnsense/core/issues/new?template=feature_request.md

[TheSHAD0W]

Note that I've worked around this issue by setting the WAN I want to run servers from as default gateway and adding rules to all LAN nets to forward traffic to the other gateway. This breaks my failover plan and won't help if you're serving via multiple WANs so it's not perfect.

[franco]

Ticket exists here now https://github.com/opnsense/core/issues/9702

[TheSHAD0W]

Looks like it's been flagged as support, or in other words, "the user is doing something wrong, it's not a bug". Don't expect a fix any time soon. :(

[Patrick M. Hausen]

Ad asked for specific detailed information that any one experiencing the problem could easily add to the ticket. I for one cannot, because I do not have dual WAN anywhere.

[TheSHAD0W]

You should be able to do a dual wan test just by plugging both interfaces into the same source network with dhcp, then watching packets out of both using tcpdump.

[TheSHAD0W]

I should also mention that my setup is rather complex and that would complicate picking out the issue. I could maybe set up a test rig but then there's still so much that needs to be passed around.

If you really need it, I can set up said test rig, but it would be best if we could communicate more directly.