Running server (Nextcloud) with external access *not* via default gateway

Started by TheSHAD0W, February 01, 2026, 07:07:15 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 01, 2026, 07:07:15 PM Last Edit: February 01, 2026, 07:23:45 PM by TheSHAD0W
Background: I have two satellite uplinks, one with unlimited bandwidth but behind a NAT, and one with a public IP but metered bandwidth. The first is set as my default gateway, while the second will be limited for external service.

I've been trying to route traffic for my Nextcloud server through the second gateway, and have created firewall rules to do so. tcpdump shows connection replies from activity on the second gateway being sent out the first one despite all attempts I've made to direct the traffic correctly. Connections initiated from the server going outside are being routed through the correct (second) gateway.

Here are my routing table status and the firewall rules I've created... https://imgur.com/a/az73LDb

Here is the output of pfctl -sr ... https://pastebin.com/gunnwfX3

Edit: The screenshots don't show that the bottom two rules have the gateway set as WANsat2
February 01, 2026, 09:23:52 PM #1
Quote from: TheSHAD0W on February 01, 2026, 07:07:15 PMtcpdump shows connection replies from activity on the second gateway being sent out the first one despite all attempts I've made to direct the traffic correctly.
The "reply-to" tagging is responsible to route replies back to the correct gateway.
This presumes that
- you have the proper gateway stated in WAN interface settings in case manual IP configuration
- and that the firewall rule, which is passing the incoming traffic to the web server, is defined on the incoming interface (no group or floating pass rule must match the traffic).

Note that interface group or floating rules have precedence over interface rules.
February 01, 2026, 11:12:50 PM #2
- Setting "reply-to" tagging to the appropriate gateway did not help.

- Interface configuration for that gateway is DHCP, not sure what you mean. That interface is set as a gateway and is operating; if I change its priority to highest in gateway configuration it operates as expected.

- Firewall rule is defined on correct interface (and is where I changed the "reply-to tagging setting).

I have no floating rules defined and there are no pass rules that appear to have precedence... With the exception of one autogenerated rule that appears to be getting involved in the exchange, "let out anything from firewall host itself". Could this be getting in the way?
Print
Go Up Pages1
User actions