On Mon, Apr 16, 2012 at 2:42 PM, David Rees <[email protected]> wrote: > I posted this on the forum[1] a while back but didn't get a response - > thought I'd try here. > > I've got a fairly typical multi-WAN setup on pfSense 2.0.1 with one > primary WAN and a secondary WAN port. > > Inbound access to servers is the same across both WAN ports so what > I've been doing is duplicating rules across both interfaces. > > Then I saw the Interface Groups tab and thought - nice! now I can add > my two WAN ports to the Interface Group and then only have to worry > about a single page of firewall rules unless I want a specific rule > for one of the two WAN ports. > > So I created an Interface Group with both WAN ports and proceeded to > copy a rule over, leaving my two existing WAN interface rulesets > intact. > > But what I found is that this killed inbound connections on my > secondary WAN port to a NATted host. Removing that WAN port from the > interface group allowed things to continue working. > > Looking in /tmp/rules.debug I rules in this order: > > WAN rules, LAN rules, WAN-group rules, then OPT1 rules (OPT1 is my > other WAN connection). > > Looking at the difference between the WAN-group rules and WAN/OPT1 > rules it is missing "reply to ( <interface> <interface-ip> )" from the > rules. > > I assume that this is the problem here - I'm guessing that the > connection reply isn't going out the right interface. > > Any ideas? Should this work? Am I doing something wrong or missing > something? >
WAN rules require reply-to in many circumstances for correct return routing, and that cannot be done on interface groups, it's only done on rules assigned to that particular WAN. _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
