Changing gateway from default to specific GW in LAN rule loses firewall access

[mellow65]

Greetings all, I had posted about my multi wan issues before, but since then I have kept drilling down on what happens (as well as someone that doesn't know much about all this can do) when I "break" my firewall.

On a fresh install and only have a single interface with a single rule everything works fine. 

As long as I have my gateway set to default all works as one would expect.

When I change my gateway to be a specific gateway, I lose access to parts of the firewall.  I can't ping the interface, I lose DNS and therefore access to the internet.  I can how ever SSH into the firewall, ping 8.8.8.8, and I can still get to the GUI.

My original "fix" was adding a rule to allow access to "This Firewall", this worked just fine as long as I didn't have any VLANs.  I couldn't ping devices on other networks, I could however ping the interface for that network. 

My current "fix" is to set up an alias for all private networks and allow access to those.  I'm ok with this answer for this network as it wont be my IoT network. But I don't know if there's any long term downsides to this.


My main question to people that are way smarter than I, why does changing the gateway kill certain access to the firewall?

Most of my experience is with PFsense, and I don't need to add extra pass rules when selecting a different gateway.

[Saarbremer]

The thing about policy based routing is, it is policy based routing.

Your rule not just "changes a gateway" it forces every IPv4 traffic coming in on LAN to be sent to WAN1_GW

Hence, nothing internally works as soon as a package reaches your firewall. Luckily enough, SSH and HTTPS are matched by earlier automatic rules and that's why those still work. Internet works as usual as WAN1_GW is the gateway for it.

With your additional rule you don't make it happen for traffic with target "this firewall" = all IPs of the firewall including all interfaces.

In case you still want to run policy based routing try writing it as:

LAN in, destination !RFC_1918  (or !PrivateNetworks as you call it) shall use the gateway wan1_gw

And make sure it is matched late in the chain-  if you want to make exceptions later it will avoid extra work.



Answer to your question: Read the docs first. I don't know about pfSense but I guess it also just works as stated in the docs.

[mellow65]

The thing about policy based routing is, it is policy based routing.

Your rule not just "changes a gateway" it forces every IPv4 traffic coming in on LAN to be sent to WAN1_GW

Hence, nothing internally works as soon as a package reaches your firewall. Luckily enough, SSH and HTTPS are matched by earlier automatic rules and that's why those still work. Internet works as usual as WAN1_GW is the gateway for it.

With your additional rule you don't make it happen for traffic with target "this firewall" = all IPs of the firewall including all interfaces.

In case you still want to run policy based routing try writing it as:

LAN in, destination !RFC_1918  (or !PrivateNetworks as you call it) shall use the gateway wan1_gw

And make sure it is matched late in the chain-  if you want to make exceptions later it will avoid extra work.



Answer to your question: Read the docs first. I don't know about pfSense but I guess it also just works as stated in the docs.

Yeah ok, I guess that makes sense then. Thanks for the insight.

I have read the documents many times.  Most of it doesn't make sense until I've worked through this stuff multiple times over. Still a new person at all this, but thanks for assuming I didn't read the directions.   ;)

[Saarbremer]

You're welcome.

[mellow65]

LAN in, destination !RFC_1918  (or !PrivateNetworks as you call it) shall use the gateway wan1_gw

Oh wow, this ended up being way more elegant than I had originally thought!!

I've been watching the live logs while playing with it this morning!

I left the default pass rule at the very bottom, which picks up the DNS as it doesn't match the above rule.  Fricken brilliant!! Networking, I will never fully understand your weird ways.   :)