OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: toxic on October 11, 2020, 04:19:53 pm

Title: [solved] dyndns with multiwan: only IP from default gateway
Post by: toxic on October 11, 2020, 04:19:53 pm

Hello,

I'm facing the very same issue as here : https://forum.opnsense.org/index.php?topic=5692.0
Which seems to be resolved with 17.something, but I'm already on 20.7.3-amd64

Again, I have igb4 and igb5 plugged to 2 different ISP boxes both using DHCP, and for me

Code: [Select]

curl --interface igb5 api.ipify.org and

Code: [Select]

curl --interface igb4 api.ipify.org both return the same IP of the current default gateay instead of returning each a different public IP.

I am using gateway groups and firewall rules to do some policy roting, the policy routing works well and I have some hosts that sucessfully go on internet on the igb5 interface and their browser shows my other public IP when manually browsing to api.ipify.org

I was carefull to not apply any policy routing to the opnSense box itself, and the FW logs show outgoing trafic for the IP of api.ipify.org on the same interface (WAN instead of WAN2) with the matched rule beeing "let out anything from firewall host itself" which is some default rule.

I suspect this is a routing issue, I'm not sure how routing table should be for multiwan, I currently have only one default that is using the WAN and not the WAN1 interface. I was expecting to see another default with lower priority using WAN1 but nothing there.

Any help is greatly appreciated !

Edit :
For more infos, I do have several VPN clients connected to PIA and some other VPN providers giving me additional gateways... Some of them are enabled, some not (ipv6 GWs for example)
I have no gateway that has "upstream gateway ticked", and anyway when I do enable upstream gateway to the 2 GW for WAN and WAN1, I still have the same behaviour.

I don't know if it's helpful, but playing with gateway prority, when WAN is 254 and WAN1 is 254 priority, both curl command return the IP of WAN as explained above.
But when I set WAN1 to priority 253 and leave WAN on 254, the curl command that uses WAN1 finally returns the proper public IP of WAN1, ut suddenly, the curl command tring to use WAN does not complete at all :

Code: [Select]

sudo curl --interface <WAN> --ipv4 -v api.ipify.org
*   Trying 54.235.169.38:80...
* Local Interface <WAN> is ip 192.168.10.3 using address family 2
* Local port: 0
<it just hangs there...>
Lastly, this is what a traceroute shows : going out the wrong interface :

Code: [Select]

traceroute to 8.8.4.4 (8.8.4.4) from 192.168.2.2, 64 hops max, 40 byte packets
 1  192.168.10.1 (192.168.10.1)  2.308 ms  2.462 ms  2.529 ms
 2  XXX 33.242 ms  33.451 ms  35.618 ms
...
10  dns.google (8.8.4.4)  50.082 ms  43.478 ms  44.604 ms
WAN gets a DHCP addr : 192.168.10.2/24 and WAN1 gets another by another DHCP : 192.168.2.2/24, both the gateways are on the first IP in the subnet.
So the traceroute should have shown a first hop to 192.168.2.1 and not .10.1 like it did...

Title: Re: dyndns with multiwan: only IP from default gateway
Post by: toxic on October 15, 2020, 01:28:00 am

Ok, found the issue...
Just untick this :
Firewall > Settings > Advanced > Disable force gateway : untick

For info :

Quote

Disable automatic rules which force local services to use the assigned interface gateway.
Outgoing packets from this firewall on an interface which has a gateway will normally use the specified gateway for that interface. When this option is set the route will be selected by the system routing table instead.