Feature #15429
openSuggested wording improvements for gateway failure and recovery settings
0%
Description
I'm excited about the new gateway recovery behavior that's available in 24.03. However, I found that the [blog post[https://www.netgate.com/blog/netgate-to-enhance-gateway-recovery-in-pfsense-plus-version-24.03#:~:text=The%20gateway%20recovery%20feature%20enables,availability%20for%20the%20user%20base]] and wording in the UI are not as clear and easy to understand as it could be. I've created the following suggestions for making changes to the UI pages that think will improve the administrator's experience when configuring the gateway failure and recovery behaviors. I also think it would be helpful if the Gateway Group and Gateway pages could show what the global option are set to, as this would make it more convenient than having to refer back to the global settings to find out what they are set to.
Gateway Monitoring (System > Advanced > Misc)¶
Gateway Recovery Behavior (Global)¶
• Do not flush states after gateway recovery (default)
• Only flush states on lower-priority gateways
• Only flush states with the same address family as the gateway group
Controls the global state flushing behavior for when the default gateway is set to a failover gateway group. Do not flush states after gateway recovery: Use the setting of the failover gateway group that is set as the default gateway. *Only flush states on lower-priority gateways:* All states on lower-priority gateways are flushed when a higher-priority gateway returns to an online state. *Only flush states with the same address family as the gateway group:* States of the same Address Family as the gateway group are flushed for lower-priority gateways. Note: This does not affect traffic initiated from the firewall itself.
Policy-routing recovery behavior (Global)¶
• Do not flush policy routing states after gateway recovery
• Flush all policy routing states on lower-priority gateways after a higher-priority gateway recovers
Controls the global state flushing behavior for states created by policy routes (firewall rules) for all gateway groups. This allows for different recovery behaviors for states created by policy routes and the default system route.
Gateway Failure Behavior (Global)¶
• Do not flush states after gateway failure (default)
• Only flush states for all gateways which are down
• Flush all states after gateway failure
Controls the global state flushing behavior when a gateway is down. *Do not flush states after gateway failure:* Uses the gateway failure behavior configured on each gateway group. *Only flush states for gateways which are down:* Flush all states after gateway failure: Only affects states created by policy routing rules and or that contain a reply-to address. Note: Behaviors except "Flush all states after gateway failure" can be overridden on a per-gateway basis. This behavior is not triggered by gateways with monitoring disabled, monitoring action disabled, or which have been forced down. May not have any effect on dynamic gateways during a link loss event.
Gateway Group (System > Routing > Gateway Groups)¶
Gateway Recovery Behavior¶
• Use global behavior (default)
• Do not flush states during gateway recovery
• Flush states on lower-priority gateways during recovery
*Do not flush states upon gateway recovery:* States for this gateway group are unaffected. *Flush states on lower-priority gateways:* Flush policy routing states for lower-priority gateways. Note: Changing gateway priorities may not affect states created before the changes. This does not affect traffic initiated from the firewall itself.
Gateway (System > Routing > Gateways)¶
Gateway Failure Behavior¶
• Use global behavior (default)
• Do not flush states after gateway failure
• Flush states using this gateway when it is down
Controls the state flushing behavior when this specific gateway goes down. Flushing states for specific down gateways only affects states created by policy routing rules or that contain a reply-to address. Has no effect if gateway monitoring or its action are disabled or if the gateway is forced down. May not have any effect on dynamic gateways during a link loss event.
Reset All States (System > Advanced > Networking)¶
Reset all states if WAN IP Address changes¶
This option resets all states when a WAN IP Address changes instead of only states associated with the previous IP Address.
It would also be nice to have clarification on how this “Reset All States” setting works with the new gateway failure and recovery settings, and when it should be used.
Updated by Marcos M 7 months ago
- Priority changed from Normal to Very Low
Thanks for the feedback! I do think the various related settings could use rewording and restructuring for clarification and cohesiveness. Care needs to be taken to avoid overly-verbose information that is better left to the online documentation. This is why we add the help shortcut icon to pages.
In this case, I think most of the details are best left to the docs. We use kill
instead of flush
because flushing implies all items are removed (see pfctl).
As for the option Reset all states if WAN IP Address changes
, this works independently from the gateway recovery/failure behavior. If checked, then states are flushed (i.e. all states are killed). If unchecked, then states referencing the old WAN IP are killed. Indeed there can be overlap with the gateway behavior; the result is some states have already been killed with the gateway behavior setting by the time this option (Reset all states if WAN IP Address changes
) would kill them too.