I have Been Running OPNSense for many years but I continue to struggle to get MultiWan (Failover) working without loosing the ability to ping the OPNSense router, and access the web GUIs of the modems.
I run a single LAN (10.0.0.0/24) with OPNSense box (Router, Gateway, Firewall) at 10.0.0.1. The box has multiple Eth ports with ports used
1. WAN connected to a Starlink Modem (Gen 1 DIshy with starlink wifi/Router removed) set as Tier1 as Primary WAN
2. WAN4g connected to a DLINK DWM-312 4G/LTE modem (set as tier 2 for backup)
3. Remaining ports are LAN1, LAN2 etc all bridged to form LAN
The Box is quite powerfull, normally using 1% CPU (Intel Core i5-8250U).
Without a Gateway Group set up, I can ping 10.0.0.1 OK, and I can access Starlink modem on 198.164.100.1 from anywhere in LAN.
I then insert a gateway Group (WombatHollowGateway) and I still have access OK.
But I then insert the WombatHollowGateway into the "Default allow LAN to any rule" (it was set to default) and then I can no longer ping 10.0.0.1 (but I can still access OPNsense Web page on the same IP address) and I cannot access (HTTP or Ping) Starlink Modem at 198.164.100.1 from anywhere in LAN BUT I can ping 10.0.0.1 and 198.164.100.1 (Starlink Gui) from OPNSense Interface diagnostics menu. I can also HTTP to 198.164.100.2 which takes me back into OPNSense login!
Does anyone have any idea why adding the Group Gateway to the Rules stop this access to OPNSense, and to modem HTTP GUI. And what is the impact of leaving the Gateway set to default in Rules.
I have created a Virtual IP for Starlink Net, and a NAT outbound rule to suit.
I have attached a screen shot of the OPNSense dashboard and a cut down copy of the OPNSense config file (sections containing nothing and a few irrelevant (hopefully) sections removed).
Ta Ian
Two problems here:
PING:
You said
QuoteBut I then insert the WombatHollowGateway into the "Default allow LAN to any rule" (it was set to default) and then I can no longer ping 10.0.0.1
which is exactly the correct behaviour! Why?
You now route
everything to the MultiWANGroup incl.. your ping! It never hits the box. Thus you need to setup a DNS rule before default rule otherwise it wouldn't work at all.
IF you want ping, then you just need a PING rule above default rule. Please see attached img.
The Starlink Modem is somewhat special!
It hands out via DHCP an IP in the range of 100.64.0.0/10.
The Modem/Roiuter Statistics however are on the dish with IP 192.168.100.1 which is outside the DHCP provided subnet, thus you need to add a virtual IP on you opnsense box with 192.168.100.2/24 on your WAN interface and setup an outbound NAT rule with target 192.168.100.1/32. Please see attached img.