My OPNsense sits behind two other routers. I have HAproxy installed and configured. I want to offer some services via WAN/router 1 and some via WAN/router 2.
- request hits router 1 or 2
- request is port forwarded to OPNsense/HAproxy
- HAproxy speaks to backend
- HAproxy's response is then forwarded to the client via the default gateway (router 1)!
Added difficulty: Router 2 sits in LAN and not on a separate WAN interface of the OPNsense.
How can I achieve that OPNsense sends response via correct gateway/router?
You're most certainly looking for reply-to on the incoming firewall rule that accepts connections from Router2 to your OPNsense.
I know that reply-to is added by default on WAN interfaces (not differentiated by the name, but rather by the fact that they have a gateway configured). There's a global setting to control this behaviour, so you will want to double-check that it's on. Now how you get OPNsense to add reply-to to only one specific rule on an interface, without setting a gateway, i'm not quite sure, you'd probably have to do some digging to find out whether it's at all possible. I know it's possible to explicitly disable it for specific rules while it's globally enabled, but what you want is the opposite.
If Router2 were on a seperate interface then no problem, configure the interface and set Router2 as gateway. Reply-to will be automatically added.
I believe this person has the same/similar issue:
https://forum.opnsense.org/index.php?topic=15900.msg79646#msg79646 (https://forum.opnsense.org/index.php?topic=15900.msg79646#msg79646)