Hi!
Probably a stupid question and there is probably an answer in the wiki somewhere, but if somebody could just help me out a bit.
I have OPNsense at home and want to run and IPsec tunnel to OPNsense box at work, that's simple.
But how can I force all traffic in a specific vlan at home through the tunnel, while all the other vlan's exit locally?
Trying to set it up, but I'm doing something wrong..
Thnx in advance
You could make a firewall rule on the VLAN interface and specify the IPsec gateway to use instead of the default gateway.
How would you do that with wireguard?
here's an example
what you have to change:
Interface (your VLAN interface)
Destination / Invert (don't tick it)
Destination (change to any);
Log (i was searching for errors - that's why i ticked it)
Gateway: choose your gateway that will point to your OPNsense at work.
if you don't have an gateway for your remote OP - create one.
1) creat a new interface on your local OP and asign the IPSEC connection
2) restart the connection (because i didn't even get one Interface-assignment of a VPN that will get the IP if the connection is already active)
3) add firewall rules for the new interface according to your needs
4) Go to System -> Gateways -> Single
5) there you should already see a gateway for your new interface - klick on it and enable gateway-monitoring. The IP should either point to the OP at your work (if it answers to ICMP) or something like 8.8.4.4 (or any reachable ip)
Also remember to push/pull/add routes on both sites for VLAN-Tagged LANs etc. (or apply NAT)
But wireguard already creates routes. There would be some kind of duplication if I were to create a gateway from the wireguard interface and use it to create rules, or wouldn't there?
I suppose one could block traffic from a specific VLAN to go anywhere else but through the wireguard tunnel, but that would be quite different from forcing all traffic in a given VLAN to go through the wireguard tunnel.