Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Gateway Group Not Going Back to Tier 1 Gateway
« previous
next »
Print
Pages: [
1
]
Author
Topic: Gateway Group Not Going Back to Tier 1 Gateway (Read 1108 times)
tophattwaffle
Newbie
Posts: 5
Karma: 2
Gateway Group Not Going Back to Tier 1 Gateway
«
on:
May 30, 2023, 11:10:32 pm »
Hello!
OPNSense 23.1.8
I have a subnet on my network that should have all traffic sent out a specific IPSec gateway to a remote site. If the IPSec goes down, traffic should be routed out my WAN_DHCP default gateway. A gateway group setup with my IPSec gateway as the Tier 1, my WAN_DHCP gateway as Tier 2. A firewall rule exists to send the traffic from this subnet out this gateway group. The gateway's trigger level is "Member Down".
From a "blank slate" traffic is flowing as expected - out the Tier 1 IPSec gateway. If the IPSec goes down causing the Tier 1 gateway to go down, traffic is routed out my WAN_DHCP gateway as expected. The issue is that when the IPSec comes back, traffic is never routed back over the IPSec - it says on my WAN_DHCP Tier 2 gateway.
The only way I can get it to switch back to my Tier 1 gateway (IPSec) is to go into the Gateway group and click save - no changes - just click save and apply. Traffic then goes back to how it should be.
Clearing states has no impact. I tried enabling/disabling "Sticky connections" with no luck. Any ideas?
Logged
franco
Administrator
Hero Member
Posts: 17675
Karma: 1613
Re: Gateway Group Not Going Back to Tier 1 Gateway
«
Reply #1 on:
May 31, 2023, 09:32:55 am »
Might be
https://github.com/opnsense/core/issues/6231
and the development version of 23.1.8 already has the rewritten monitor/alert script which seems to be working according to the original reporter.
Cheers,
Franco
Logged
tophattwaffle
Newbie
Posts: 5
Karma: 2
Re: Gateway Group Not Going Back to Tier 1 Gateway
«
Reply #2 on:
May 31, 2023, 08:20:43 pm »
Thanks for that!
Good to know that there already seems to be a fix and this isn't related to my configuration. I'll give development a try and see what happens.
Logged
franco
Administrator
Hero Member
Posts: 17675
Karma: 1613
Re: Gateway Group Not Going Back to Tier 1 Gateway
«
Reply #3 on:
June 01, 2023, 09:17:32 am »
Thanks, feedback for this is highly appreciated. Some of it has been defunct for years (gatway group triggers loss and delay) since we switched apinger for dpinger utility.
The new monitoring should also be a lot less trigger-happy and can be further improved in inspect the event before triggering a failover/reload.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Gateway Group Not Going Back to Tier 1 Gateway