On 12/13/2013 5:10 AM, Chris Bagnall wrote: > On 13/12/13 5:48 am, Walter Parker wrote: >> What do I need to do to get the firewall to use the COMCASTGW for >> responses >> to packets sent to the COMCAST interface? > > Unless you're using advanced outbound NAT, this should happen > automatically.
Actually that won't have anything to do with outbound NAT, but it will have to do with gateways and other rules. Make sure that your Interfaces > [WAN Name] pages have a gateway set/selected if they are a static IP. If they are DHCP this should happen automatically. > You said: >> I have a rule on the Comcast interface the allows all traffic , with the >> destination of Comcast net and the the Gateway set to COMCASTGW. Never set a gateway on WAN rules, it does not do what you're expecting it to do. > As an aside, if you want to easily create incoming rules in a multi-WAN > scenario, it's often worth creating an interface group called 'WANs' or > similar, then creating your incoming rules in there - saves duplicating > them across multiple interfaces, especially if you have 3 or more > interfaces. Actually using an Interface Group or Floating rules will break it worse. The reasoning behind all of this is the logic in how the firewall formulates the rules for WANs in this scenario. If an interface has a gateway selected, its rules will automatically gain a "reply-to" keyword which tells the traffic to exit back the interface from which it entered the firewall. Using floating rules for multiple interfaces or an interface group will cause reply-to not to be set because it can't be set for rules affecting multiple interfaces. So, in summary: * WANs need to have gateways set * Don't put gateways on WAN rules * Don't use interface groups or multi-interface floating rules for WAN rules * Make sure the global reply-to disable option is not set on System > Advanced, Firewall tab * Make sure the WAN rule passing the traffic does not have the advanced option checkbox set to disable reply-to Jim _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
