Bug #16203
open
Floating Firewall Rules for ICMP Inconsistently Choose Gateways and May Ignore Routing
0%
Description
When testing Floating rules for ICMP with the interface set to "Any", outbound traffic will choose whatever gateway was seemingly "used last" for ICMP traffic, regardless of the default gateway or Policy-based routing.
For example, if you have two WANs, WAN1 and WAN2, and WAN2 becomes the default gateway, you traceroute out that interface, and then flip the default gateway to WAN1, if the rule for ICMP is a Floating Rule set to Any for the interface, it will likely continue to leave WAN2.
Additionally, if you define a direction on the Floating rule and set Policy-based Routing to use WAN1, it will still use WAN2 regardless of the direction.
Updated by Azamat Khakimyanov 4 months ago
Tested on 24.11
What I found that with Floating rules for ICMP with the interface set to "Any" if to run endless ping (ping 9.9.9.9) while WAN1 is a default gateway and then make WAN2 as a default gateway, ICMP traffic is switched to WAN2 interface BUT it's still using WAN1 as a Source IP. And Diagnostics/States table showed that ICMP traffic from host behind LAN is being NATted into WAN1 IP.
Any new initiated ICMP traffic uses WAN2 as a Source (while WAN2 is a default gateway).
So if to make WAN1 back as a default gateway, ping, which has been started initially, starts using WAN1 gateway. And ICMP ping which I run while WAN2 is a default gateway, starts being forwarded via WAN1 but with WAN2 as a Source IP.
Updated by Azamat Khakimyanov 4 months ago
Tested on latest 25.07-DEV (built on Wed Nov 27 18:22:00 UTC 2024)
I don't see this issue on 25.07-DEV: with Floating rules for ICMP with the interface set to "Any", ICMP traffic is forwarded via correct WAN gateway any time you switch from one WAN gateway to another and back.