1
18.7 Legacy Series / How to configure a "Policy Routing" without compromising the firewall rules ?
« on: December 19, 2018, 12:36:27 am »
As I understand, the "Firewall->Rules->LAN" defines ( for instance ) if a TCP port is allowed or not, AND also for which WAN this rule should use to validate the rule. Besides this, this rule in fact also determines the WAN output routing.
I have a MULTI-WAN configuration only to implements a "failover" approach, using my 3 uplinks of output. So I have a main UPLINK ( tier-1 ) defined and the others as tier-2 and tier-3.
When I define a "Firewall->Rule->LAN" I use my MULTI-WAN group as "the gateway". No problems until now...
My difficult happens when I need to specify that a specific DESKTOP ( LAN->IP) should use a specific route to one of my WAN links, thus ignoring my MULTI-WAN configuration.
The only way I could find to do this in the OpnSense is creating a rule with the field "Source" that contains the DESKTOP LAN-IP and using my specific WAN link as "the gateway". ANd the also setting the WAN output routing.
But now all my hundreds of the regular rules which use my MULTI-WAN group as "the gateway" are ignored because this DESKTOP rule in fact also determines which features are released. And I would not want to duplicate all of my regular RULES only because I have a different "gateway".
In Opnsense, the "Firewall-Rule" assign the resources to be allowed AND also determines the routing. Do we have a way to separate the "Policy Routing" from the "Outgoing traffic" rules ? So first the system compute the route and then check all the Firewall rules ?
I have a MULTI-WAN configuration only to implements a "failover" approach, using my 3 uplinks of output. So I have a main UPLINK ( tier-1 ) defined and the others as tier-2 and tier-3.
When I define a "Firewall->Rule->LAN" I use my MULTI-WAN group as "the gateway". No problems until now...
My difficult happens when I need to specify that a specific DESKTOP ( LAN->IP) should use a specific route to one of my WAN links, thus ignoring my MULTI-WAN configuration.
The only way I could find to do this in the OpnSense is creating a rule with the field "Source" that contains the DESKTOP LAN-IP and using my specific WAN link as "the gateway". ANd the also setting the WAN output routing.
But now all my hundreds of the regular rules which use my MULTI-WAN group as "the gateway" are ignored because this DESKTOP rule in fact also determines which features are released. And I would not want to duplicate all of my regular RULES only because I have a different "gateway".
In Opnsense, the "Firewall-Rule" assign the resources to be allowed AND also determines the routing. Do we have a way to separate the "Policy Routing" from the "Outgoing traffic" rules ? So first the system compute the route and then check all the Firewall rules ?