[SOLVED] Block certain subnets from using gateway during failover in Multi WAN

[polarluminol]

I am trying to figure out the best way to block certain subnets from using the alternate WAN during failover.  Here is an example of what I am doing to use-policy based routing to meet my network use requirements:

WAN1 - Internet access 1
WAN2 - Internet access 2

DMZ1 - Must use WAN1 gateway and appear on WAN1 IP
DMZ2 - Must use WAN2 gateway and appear on WAN2 IP

LAN-A - Default gateway (WAN preference is unnecessary)
LAN-B - GWgroup1 (WAN1 preferred, WAN2 alternate)
LAN-C - GWgroup2 (WAN2 preferred, WAN1 alternate)
LAN-D - GW1 - WAN1 only (WAN preference is preferred, but not critical)
LAN-E - GW2 - WAN2 only (WAN preference is preferred, but not critical)

During normal circumstances, everything works and failover to alternate WAN works.  The problem is that during failover, both of my DMZ hosts start using whichever WAN connection is up.  This is causing conflicts in the services I am running are sensitive to public IP (the application detects the public IP being used and then does not go back).  How do I prevent each DMZ from using an alternate WAN IP during failover?

I would have assumed that specifying the gateway in a rule for policy-based routing would enforce only using that gateway in all circumstances.  I have considered a firewall rule (such as creating a block rule on WAN2 that blocks all traffic with source DMZ1), but I'm not sure if this is the best way.

Also of note is that the only time I specify the gateway or gateway group is for internet access firewall rules.  All of my local LAN and DMZ filtering using the default gateway.

Help appreciated!  Please let me know if it helps to describe this situation further or if specific details are needed.  Thank you.

SOLUTION:

Go to

Firewall: Settings: Advanced: Skip rules

Check "Skip rules when gateway is down"

[tiermutter]

DMZ1 and DMZ2 such as LAN A-E are all subnets or clients in DMZ and LAN subnet?

For subnets just change the gateway of default allow rule to your preference.
For clients create an alias containing the MAC of the clients, create a pass rule on the specific interface (LAN/DMZ), set source to the alias an gateway to your preference. Place this rule above default allow and remember doing the same for IPv6 if needed. Do this for all affected "internet access rules".

Blocking on WAN side is imho not required.

[polarluminol]

DMZ1, DMZ2, and LANs A-E all represent subnets that have their own VLAN.

I believe I am already doing your suggestion.  My current rules for the DMZ are:

Action	Source	Destination	Gateway
BLOCK	DMZ1 net	LAN A-E	*
BLOCK	DMZ1 net	Other private networks	*
PASS	DMZ1 net	*	WAN1

Given the third rule above, I'm not sure why DMZ1 hosts would somehow be detecting the WAN2 IP.

[polarluminol]

So far I have tried the following rules, both of which had no effect:

WAN2 Interface Rules

Action	Source	Destination	Gateway
BLOCK	DMZ1 net	*	*

DMZ1 Interface Rules

Action	Source	Destination	Gateway
PASS	DMZ1 net	*	GW_WAN1
BLOCK	DMZ1 net	*	GW_WAN2

My DMZ1 subnet always manages to route through WAN2.

[tiermutter]

Is there a default allow rule on eg DMZ1?
Then just change the gateway. There is no need to set the source to DMZ1_net.

[polarluminol]

Pretty sure I found the setting:

Firewall: Settings: Advanced: Skip rules

Check "Skip rules when gateway is down"

My testing has performed the desired effect.  When WAN 1 is down, DMZ1 can't access internet at all, yet subnets with GWgroup1 (WAN1 preferred, WAN2 alternate) properly failover to WAN2 and then return to WAN1 when WAN1 is back.

Thanks for helping!