Hi,
I am a bit experienced with IP, but a relative noob with opnsense.
I do have a Multi-WAN Setup working, and the automatic switching between my (fast but flaky) cable and (notsofast, reliable) DSL seems to work fine.
For $Reasons I also have some devices on the Network handled by the DSL router besides the opnsense.
I did manage to access the DSL routers web interface (IP 192.168.177.1, also the DSL-GW in Tier2 of the CABLE-DSL gateway group) from computers on the LAN.
But when I try to reach any device within 192.168.177/24 other than the .1, the traffic goes out to the Cable-GW.
I see that as incoming traffic on the WAN (=Cable) interface on the opnsense: blocked by the default rules.
I do have an FW rule on the LAN interface for the destination range 192.168.177/24 with Gateway DSL-GW, direction in (also tried out, same effect). the rule is atop the rule permitting LAN-originated traffice to 0/0.
Also, as far as I undestand the BSD routing table (as presented in the opnsense Web interface), the routing engine of the IP stack shoould direct dest-192.168.177/24 traffic through the respective ethernet interface.
I want the FW to default all traffic through the cable router and only fall back to DSL in exceptions (cable down), but I also want management traffic to my legacy network from the office network...
What am I missing?
merci
hase
Can you add some basic network schema (for example a
NwDiag from Kroki (https://kroki.io/#try)) and firewall rules list?
If I got it right:
- You have to WAN connections, both in a "CABLE-DSL" gateway group:
- Cable, using the "CABLE-DSL" gateway, is at tier 1
- DSL, using the "DSL-GW" gateway, is at tier 2, OPNsense uses IP 192.168.177.1 to contact it
- Failover works: Internet access from your LAN uses Cable if available and continues to work if one of your 2 WAN is down (automatic switches)
- You managed (how?) to access 192.168.177.1 address (DSL-GW's)
- You have other devices on 192.168.177.0/24 network that you want to access but when you try to contact them using their 192.168.177.0/24 IP, OPNsense routes traffic to CABLE-DSL which it discards/reject
I guess each router has it's own network address and your LAN is also on a distinct network address.
Usually, to force a WAN for a given destination (host or network), you have to create firewall rule that sets the gateway to the one you want (in your case "DSL-GW" in lieu of "CABLE-DSL").
Hi,
I did compose a reply post here - quite long - and then it hit me.
The problem is that my LAN->DSL net traffic is going through NAT.
My network is very basic (for now):
- DSL router 192.168.177.1
-- has its own wlan with existing clients
- cable router 192.168.176.1
- opnsense appliance
-- interface WAN: DHCP client to the cable router (opnsense-IP fixed in DHCP, set as exposed host)
-- interface DSL: DHCP client to the DSL router (opnsense-IP fixed in DHCP, set as exposed host)
--interface LAN: internal, firewalled network.
--- DHCPv4 server in opnsense
Because the opnsense applies the NAT, the SYN-packet from my LAN device is modified (source address is set to an IP of the opnsense).
This modified packet is then fed to the firewall, therefore the auto-generated roule marked "let out anything from firewall host itself (force gw)" is applied - and this forces the ateway to the cable router, as that is currently active.
So the new question is: how do I bypass NAT for some of my traffic while applying it to Internet-bound traffic?
I will fiddle with that for a moment.
thanks for talking :-)
greetings from a hot Berlin/Germany
hase