Bug #1951
closed
Auto generated reply-to rules not working
0%
Description
In Multi-WAN setups, traffic seems to always leave the default gateway no matter what interface it entered on. For testing I added rules to allow ICMP and SSH via first via a Floating Rule and later via an Interface Group. Traffic would not leave the interface it entered in on unless I added a rule on the each of my WAN type interfaces and clicked "This will disable auto generated reply-to for this rule" under Advanced Options. This seems backwards of the expected behavior.
Files
Updated by Ermal Luçi over 12 years ago
Without showing what you configured on the floating rules i cannot give you a real answer.
My first guess is that you just not created the right rule and the packets already matched another rule!
Updated by Larry Titus over 12 years ago
- File All_Comcast_Interface_Rules.png All_Comcast_Interface_Rules.png added
- File ICMP_FLT_Rule.png ICMP_FLT_Rule.png added
- File All_FLT_Rules.png All_FLT_Rules.png added
- File ICMP_Int_Grp_Rule.png ICMP_Int_Grp_Rule.png added
- File All_Int_Grp_WANs_Rules.png All_Int_Grp_WANs_Rules.png added
- File Comcast_ICMP_Interface_Rule.png Comcast_ICMP_Interface_Rule.png added
6 Screenshots attached. The Floating and Interface Group rules were only enabled one at a time. They are both disabled now because when enabled, they break the normal Interface rules. My examples only show ICMP but it affected all TCP connections as well. The rules I have on my Comcast interface, I had to duplicate to my UUNet and FiOS interfaces as well before they would work. If I uncheck the "disable reply-to" option on those interface rules, then all packets regardless of the incoming interface, leave on the default gateway and get dropped by the ISP's seeing packets on their network that do not belong to them. When I check the box to disable reply-to, then traffic leaves on the same interface it entered. This only works for the Interface rules. When checking "disable reply-to" on the FLT or Int Grp rules, it still sends all packets out the default gateway.
Updated by Chris Buechler over 12 years ago
- Status changed from New to Rejected
no specific bug here, need to post things like this to the list or forum first as it's more likely a config issue as reply-to definitely works.
Updated by Larry Titus over 12 years ago
For the record, this must have been "upgrade rot". After doing a clean 2.0-Release install and restoring the exact same config, everything is now working as expected. This firewall has been updated a good 20 times throughout the 2.0 BETA/RC cycle. If this ticket re-opens when I leave this comment, please close it out again.