I am newer to OPNSense so please bare with me if this is a very basic question/scenario. I have a single OPNSense device, two ISPs (Comcast and Verizon Cellular). I have multiple vlans (guest, IoT, Work, Personal, etc). I would like to have all IoT traffic used my Verizon WAN as a default Gateway and other vlans use Comcast WAN as their default Gateway. Is this possible?
I read about support for multi-wan, but it seems to be for fail-over (grouping gateways) not having two active default gateways? Apologies if I am mixing up some terminology here and appreciate any advice and assistance.
Perfectly possible. You will have an "allow all" or "allow some services" out to the Internet firewall rule for each VLAN. One of the things you can specify for each of these is the gateway to be used.
If you leave that unspecified, the single default gateway of the OPNsense itself is used. But as I said - define gateway per rule. No problem at all.
This is frequently referred to as "policy routing".
Ok that makes me feel better that it is possible. I read about PBR, but I think it is something I need to dig into more and experiment with. Thank you for confirming this.
On the interface for the vlan, i see an option to select a default gateway but the only option that appears is auto-detect. I guess I am missing what the gap is to allow to select a specific gateway? I must still be missing something there...?
Oh I see now, the default gateway is specific on the firewall rule not the interface, just noting here in case it helps someone else.
The gateway in the interface settings is for the OPNsense system itself and outside of rather special situations it's like Highlander - there can be only one.
Settings for clients that pass traffic through OPNsense go into rules.
Quote from: pmhausen on February 15, 2023, 10:32:57 PM
The gateway in the interface settings is for the OPNsense system itself and outside of rather special situations it's like Highlander - there can be only one.
Settings for clients that pass traffic through OPNsense go into rules.
Roger, that makes sense. I got the rule created and the client did show the correct public ip address of my verizon ISP. Only issue I have now is that the OPNSense Unbound DNS is not responding after I changed the default gateway? If I manually change the DNS setting on the client to a public DNS provider, it works great. So I need to figure that out. But this great and working as I had hoped. Thank you so much for your help and providing me guidance!
Documenting for completeness in the event this helps someone else.
After changing the default gateway for my existing allow_all firewall rule on my guest vlan, DNS to unbound was not working, getting no response from the DNS server. In troubleshooting I discovered I needed to add a specific rule to allow DNS (TCP/UDP port 53) to the firewall itself. DNS resolution started working and traffic routed through the verizon default gateway as expected.
@pmhausen Thank you again for time and help!