Todo #15220
Updated by Marcos M 3 months ago
With the re-introduction of @if-bound@ as the default PF state policy, services on the firewall (which do not automatically add a route) bound to secondary WAN's will fail. This is due to @route-to@ outbound states being bound to the route interface (details on #12630). For rules with @reply-to@, outbound When port forwarding on a secondary WAN, @reply-to@ traffic doesn't match the state - presumably it only looks for the route interface (and not also the @route-to@ interface). <pre> vmx2 tcp 10.0.10.30:8999 (192.168.1.253:8999) <- 198.51.100.227:56295 CLOSED:SYN_SENT [0 + 64240] [3309371906 + 1] age 00:00:25, expires in 00:00:12, 4:0 pkts, 240:0 bytes, rule 799 id: edb4ba6500000000 creatorid: af6c8b55 reply-to: 192.168.1.254@vmx2 @799 pass in quick on vmx2 reply-to (vmx2 192.168.1.254) inet proto tcp from any to <d_TEST:1> port = 8999 flags S/SA keep state (if-bound) label "USER_RULE: NAT TEST" label "id:1679170149" ridentifier 1679170149 [ Evaluations: 32 Packets: 75 Bytes: 4500 States: 1 ] [ Inserted: uid 0 pid 0 State Creations: 19 ] [ Last Active Time: Tue Jan 30 12:44:44 2024 ] </pre> This essentially breaks anything that isn't simply a failover-only multi-WAN setup such as an OpenVPN server listening on a second WAN, port forwarding on a second WAN, and accessing the WebGUI on a second WAN.