OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: kkoh on February 13, 2019, 09:16:56 pm
-
After years of junk and forgotten machines/services on this clients old network I'm stepping in fresh to setup an opnSense router for their border. Their needs aren't overly complex but it does present a situation I've not dealt with in the past. Basics are they have two providers, mainly for redundancy, each with it's own public IP set but no BGP. The hardware is a quad core ATOM, 6 Intel NICs, 4Gigs of RAM, and a 4GB CF Card.
It's essentially a small company user LAN behind the box. The boss would like to keep all users on a single subnet but be able to force certain clients out of one WAN and others out of another but also allow for failover to the "good" line for all users if one WAN goes down.
It seemed in theory simple enough. I setup the gateways and then setup two GW Groups with one favoring WAN1 and the other favoring WAN2. I entered DNS for each and monitoring IPs in the public and then I edited the default LAN out rule to favor GWgrp1. I copied that rule and set it to have a /26 which aligns with the DHCP range (and some extras) to prefer GWgrp2.
This way DHCP is handed out and they can hard code leases to numbers outside of the subnet or hardcode at the clients if they like. In theory it should work said the little voice in my head. It does work as far as outbound traffic when all it right... something seems to be failing when I take a WAN down. It seems like the routing is happening correctly but resolution fails for the IPs on the wrong preferred side.
I have an allow DNS rule at the top of the LAN FW that lets all port 53 TCP/UDP requests go to the opnsense box. What am I missing to make work?
-
That didn't take long... I checked the Allow default GW Switching in General Settings and it fixed it.
So will this effect VPN and NAT reflection for any services they need to let in?