Bug #1951
closed
Auto generated reply-to rules not working
Added by Larry Titus about 13 years ago.
Updated over 9 years ago.
Affected Architecture:
i386
Description
In Multi-WAN setups, traffic seems to always leave the default gateway no matter what interface it entered on. For testing I added rules to allow ICMP and SSH via first via a Floating Rule and later via an Interface Group. Traffic would not leave the interface it entered in on unless I added a rule on the each of my WAN type interfaces and clicked "This will disable auto generated reply-to for this rule" under Advanced Options. This seems backwards of the expected behavior.
Files
Without showing what you configured on the floating rules i cannot give you a real answer.
My first guess is that you just not created the right rule and the packets already matched another rule!
6 Screenshots attached. The Floating and Interface Group rules were only enabled one at a time. They are both disabled now because when enabled, they break the normal Interface rules. My examples only show ICMP but it affected all TCP connections as well. The rules I have on my Comcast interface, I had to duplicate to my UUNet and FiOS interfaces as well before they would work. If I uncheck the "disable reply-to" option on those interface rules, then all packets regardless of the incoming interface, leave on the default gateway and get dropped by the ISP's seeing packets on their network that do not belong to them. When I check the box to disable reply-to, then traffic leaves on the same interface it entered. This only works for the Interface rules. When checking "disable reply-to" on the FLT or Int Grp rules, it still sends all packets out the default gateway.
- Status changed from New to Rejected
no specific bug here, need to post things like this to the list or forum first as it's more likely a config issue as reply-to definitely works.
For the record, this must have been "upgrade rot". After doing a clean 2.0-Release install and restoring the exact same config, everything is now working as expected. This firewall has been updated a good 20 times throughout the 2.0 BETA/RC cycle. If this ticket re-opens when I leave this comment, please close it out again.
- Target version deleted (
2.0.1)
Also available in: Atom
PDF