I have a complicated network now.

My testing initially showed that web requests from my phone for instance could not get to the web server if the cable gateway (default gw metric 0) was blocking connections.

But now I see that when the cable gateway is blocking connections that web requests can still reach the web server from the fallback cellular gateway (default gw metric 1). I thought the problem was due to IPv6 but I have disabled that now and still see the occasional connection.

I can see the connections happening right now but my phone cannot access the site because the cable gateway has it blocked. Yet hackers/bots do not have the same problem.

I guess my first question is how are the hackers/bots able to access the server through the fallback connection when my phone can not?

My second questions is one about the metrics. My earlier testing showed that if gateway metric 0 was up but blocking connections then there were no connections. Now gateway metric 0 is up and blocking connections but there are connections being made. Shouldn't gateway metric 0 be used at all times for incoming and outgoing connections?

I wanted to mention that my multiwan script tests connections and boots out routes that are no good with a simple "route del default gw". This removes the gateway with metric 0 and uses the gateway with metric 1 and so on as I have even more gateways but they are CGNAT only so they are not responsible for the incoming connections.

If you have multiple gateways, the network should automatically use the first gateway it finds with an open path, and the lowest metric.

Thus, if you have 2 default routes, one with metric 100 and one with metric 600, the one with metric 100 will be tried. If that fails then the next lowest metric (600) will be tried and if open will be used.

Note that metrics for your routes apply to connections originating on the local machine/network, not to those originating from outside and coming in. Your routes have no affect on incoming connections, only to the replies to those connections or new connections you originate.

1 members found this post helpful.

So i have a better understanding of this now than before but not perfect. As you say the packets are coming in but probably not going out. This is obviously enough to trip my monitoring systems though. It is also bad practice to let the bad people even get that far.

The connectivity problem was due to using the round robin hostname instead of the cellular gateway IP address. When the cellular gateway IP address is used a connection attempt is logged by 2 of my detection systems. The phone and mobile internet device actually behave the same way in this regard.

Possible attackers do not seem to make it very far. I noticed that the Apache log has no recent entries because there is no outbound connection made so no packets are exchanged and nothing can be logged I suppose.

The details of exactly what is happening here are still pretty hazy to me. But it is clear it is time to time to selectively firewall the cellular gateway based on network status. I was going to do this at first but thought I did not need it but now I have decided I do. Just some scripting will be needed.