[PARTIALLY SOLVED] 17.1.5 - Gateway problems

[franco]

Hi Fabio,

Another fix via Ad:

https://github.com/opnsense/core/commit/ce8ef99

On a clean 17.1.6 both patches must be installed:

# opnsense-patch 2f715d2 ce8ef99


Cheers,
Franco

[fabio]

To keep you informed.

I've upgrade to 17.1.7, I see the same behaviour of 17.1.6+2f715d2 so "Gateways: Group" look good but not the "Allow default gateway switching".

With some other tests I noticed that, with the switching option enabled, the system start to use the 1st gateway listed in the "System: Gateways: All" page ignoring the "Default Gateway" flag
If the 1st become offline it swap to the 2nd and so on

If may I suggest ... should be great have the possibility to choose the order of the switching

In some way this also "explain" the reason why the openvpn ptp become the default gw.
I assigned, and enabled, the ovpnc1 interface to a Interface. After a vpn connection in the "System: Gateways: All" page appears 2 auto-geneerated gw (ip v4 and v6) listed at the "top of the list"

Cheers,
Fabio

[fabio]

Forgive me if I'm boring you but ... I see the same behaviour also in 1.7.8

Just to understand am I the only one who notice this behaviour?
... maybe there are something wrong in my conf.

Cheers,
Fabio

[franco]

Hi Fabio,

I have been looking at "Allow default gateway switching" the last few days, fixed multiple bugs and now think it's really not very practical. Since we have gateway groups for failover as well, it could mean the default gateway switching will be removed in 18.1 or so.

Why are you using both features at the same time? They don't work in tandem...


Thanks,
Franco

[fabio]

Hi Franco,
At the moment, according to my tests, I'm only interested into "Allow default gateway switching"; as told maybe I'm starting from a wrong point

In my case all is realted to OpenVPN: my OPN box is also a VPN client, connected to the "vpn.example.com" server for a bunch of networks.

Obviously when the system default gateway goes also the tunnel goes down ... the systems has no more a gw so the tunnel is not able to turn up again.
At lease the box is not able to resolve the name, "openvpn[xxx]: RESOLVE: Cannot resolve host address: vpn.example.com: hostname nor servname provided, or not known"
I've tried to bind the VPN client the LAN address adding a any/any rules via a group gateway with the same results
(As double check I've just tried to replace the name with the IP and I see the same behaviour)

Another point is that if I use a 'Gateway' in the a firewall rule all the traffic that match the rule is forced through that gw ... ignoring the system routing
As result all the networks pushed by the vpn server are ignored (I have this in some specific host/ports rules that I don't want in the tunnel)
Maybe I can add exception rules for all the route pushed but seems a mess to maintain (and anyway threre is hte previous problem)


So from my current point of view you shouldn't remove the "Allow default gateway switching"  :-)

As usual thanks for all the support and the great works
--
Fabio

PS:
Please forgive my terrible and confused english