OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: niziak on April 04, 2019, 02:20:20 pm

Title: multiple WAN and LAN gateways: static route and default GW issues
Post by: niziak on April 04, 2019, 02:20:20 pm

Hello.
I'm using OPNsense 19.7.a_288-amd64 with two ethernet WAN connections (static IP), and one ethernet LAN interface.
On LAN side I have additionally 2 routers which provides connectivity to other private networks. (OpenVPN / StrongsWAN).

• 192.168.0.1 OPNSense
• 192.168.0.231 - machine with StrongsWAN (host behind 192.168.251.235/32)
• 192.168.0.242 - machine with OpenVPN (networks behinds 10.0.0.0/8)

To define static route route to 192.168.251.235 and 10.0.0.0/8 I was "forced" to define gateways on LAN side.

Ok. This is not big issue. Working with predefined gateways is nice - I can monitor and see gateways status. This can be useful.
But by default static routes are not working. I was digging and found that strange rule was created:

Code: [Select]

pass out route-to ( bge0 192.168.0.242 ) from {bge0} to {!(bge0:network)} keep state allow-opts label "let out anything from firewall host itself"As workaround I've created rule to pass traffic to 192.168.251.235 using gateway 192.168.231.
Later I found option to disable this rule generation Disable force gateway.


1st Q: Why it is not possible to enter IP address of gateway manually and only use predefined gateways in static routes?  I do not know well OPNSense internals but I can only imagine that you want to keep user from directly manipulating routing tables and to have all possible gateways defined to generate another rules not related to static routing.

2nd Q: Why option Disable force gateway it is not enabled by default? Or ar least if it is disabled, there should be some info on
ui/routes page to warn that firewall rules can override routing table entries.


After some working hours I realized that after changing some settings in LAN gateway and reloading gateway configuration, I lost WAN connectivity. Default gateway was changed from WAN gateway to LAN gateway 192.168.0.242. I found that this a known issue and will be fixed in 19.7. As a workaround all LAN gateways has to be set in to Mark Gateway as Down  without disabling gateway monitoring (due to another issue already known).

But I found that disabling Disable force gateway is not honoring gateway down state and OPNSense chooses one of the gateways to creating force gateway rule:

Code: [Select]

pass out route-to ( bge0 192.168.0.242 ) from {bge0} to {!(bge0:network)} keep state allow-opts label "let out anything from firewall host itself"3rd Q: Should I write issue for this?
4rd Q: Why not add simply option on interface configuration to set IPv4 Upstream Gateway to None ?

Title: Re: multiple WAN and LAN gateways: static route and default GW issues
Post by: MathieuM on July 12, 2019, 11:05:04 am

Did the latest release candidate resolve the issue you were having ?

I'm trying to setup a dual wan (I wanted to achieve load sharing + failover if one of the gw fails) - and am hoping things work in a smoother way on that next release (I'm on stable) …

Title: Re: multiple WAN and LAN gateways: static route and default GW issues
Post by: shtech on July 31, 2019, 07:19:44 pm

I've got a client on Opnsense, first one to use multi-wan and failover is not working at all. I'm updating it now to 19.1.8 to see if anything was fixed.

I followed the docs gateway groups to the letter. It doesn't work... so we'll see if this update fixes that. I'll respond here if it does.

There is an odd option, a check box, that says allow default gateway switching. Didn't find much in documentation.