OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: zeighy on October 19, 2020, 10:50:43 pm

Title: Send incoming connection out the same WAN link
Post by: zeighy on October 19, 2020, 10:50:43 pm
I have opnsense setup for a while now with a dual wan setup.

WAN1 = primary
WAN2 = backup
LAN1 = main subnet
LAN2 = isolated subnet (cam, IoT, etc)

Nearly all devices (LAN1 & LAN2) use WAN1 as the internet link, and WAN2 is used as backup in case WAN1 is down or experiencing issues. While I have setup a gateway group for them (GATEGROUP1), I am having trouble with one thing...

A server (SERVER1) inside LAN1 will respond to a request from the outside world. Currently, I have setup port forwarding for WAN1 and WAN2 for the same ports to direct towards SERVER1. A request incoming from WAN1 at the forwarded port is sent to SERVER1 and replies correctly. But, when an incoming connection via WAN2 is coming in... the outgoing connection is sent out WAN1 resulting in a failed connection.

I've set the Default allow LAN to any rule to gateway as GATEGROUP1. Of course since WAN1 is working, it sends outgoing connections to WAN1. But, this in effect makes incoming connection via WAN2 be sent out to WAN1. If I set the default rule to gateway "default" it seems to work. Incoming connections via WAN2 is sent out to WAN2. However, this in effect disables failover for LAN1 that if WAN1 goes down it doesn't switch over to WAN2. I have to manually set the gateway to WAN2 or set it as GATEGROUP1.

LAN2 is set for GATEGROUP1 as default gateway, so it works as needed.

Anyway of making this work so that SERVER1 can be connected to regardless of where the incoming connection is arriving from? And still allow for agteway group failover...
Title: Re: Send incoming connection out the same WAN link
Post by: zeighy on October 20, 2020, 02:04:48 am
So, I actually figured this out....

Created alias for SERVER1's IP called SERVERROUTE, created LAN1 rule that directs SERVERALIAS to use "default" gateway.

Now, I set the default allow lan rule to use GATEGROUP1 as gateway.


So, actually the above doesn't quite work... When accessing SERVER1 using it's FQDN on LAN1, it does not properly do NAT reflection. A little but cumbersome :/
Title: Re: Send incoming connection out the same WAN link
Post by: Gauss23 on October 20, 2020, 07:39:59 am
Did you enable NAT reflection in: Firewall: Settings: Advanced ?