Firewall rules specifying a gateway does not work for WAN subnet in some cases.
I have a LAN firewall rule specifying that all outband traffic (destination all) should go to a gateway group containing a dynamic gateway for a VPN tunnel (default rule). This worked fine in 2.0.
After upgrading to 2.0.1 traffic going to the WAN subnet (note the WAN subnet only) went out to the default gateway. After adding a specific firewall rule before the default one (since the default one still matches the packets) with destination WAN subnet, this rule also routing the traffic to the gateway group containing the VPN tunnel, the traffic was routed correctly.
However this is not the behaviour I would expect from the default rule.
#1 Updated by Jim Pingle over 8 years ago
- Priority changed from High to Low
This is not unexpected behavior, there need to be policy route negation rules for any directly connected networks, static route networks, VPN networks, etc.
I'm not sure if the WAN subnet is included in our current automatic negation rules, leaving this open for now so others can comment.