Hi Michael, When you say you have SNAT configured, are you using the nat-loopback plugin or the outbound-snat plugin ?
Either of those require obtaining the WAN IPv4 address to attach iptables "-j SNAT --to-source $ip" rules, and as written only look at the primary external address. Even if the Failover interface was looked at, the firewall would have to be rebuilt for the failover context switch with the /mnt/kd/wan-failover.script . Question, does either of these plugins make sense for a failover situation ? Possibly you want to disable the outbound-snat plugin on failover and re-enable it on return to primary ? If you have the special case of the outbound-snat plugin enabled, you could (untested code): -- /mnt/kd/wan-failover.script snippet -- SECONDARY) ## Switched to Failover using secondary WAN link ## Disable outbound-snat plugin iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT ;; PRIMARY) ## Switched back to normal using primary WAN link ## Re-Enable outbound-snat plugin iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT ;; -- but this is somewhat fragile, such that if the firewall was restarted during failover it would revert to the PRIMARY setting. To be less fragile, you could also add: -- sed -i 's/^ENABLED=.*$/ENABLED=0/' /etc/arno-iptables-firewall/plugins/outbound-snat.conf" -- and ENABLED=1 on return to PRIMARY. Lonnie > On Mar 17, 2021, at 1:16 AM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > > Grr problem now found. I had SNAT configured which didn't work on the second > WAN connection. > Any way I can fix this e.g. don't do SNAT on the failover WAN? > > Regards > Michael Knill > > From: Michael Knill <michael.kn...@ipcsolutions.com.au> > Reply to: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Wednesday, 17 March 2021 at 4:27 pm > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: [Astlinux-users] Weird routing problem > > Hi Group > > I'm currently at a site that has a primary and failover WAN connection and a > two LAN connections. The primary WAN connection has failed over to the > secondary WAN connection however it is only working on one of the LAN > interfaces and not the other. I can ping the interface address fine so its > not an interface problem. > > Does anyone have any idea why this would be happenning? > > Regards > Michael Knill > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
