Hi everyone,
I'm currently working on configuring multi-WAN on our OPNsense firewall. Despite following various tutorials, I'm encountering issues with the setup. Here's what I've done so far:
1. Created two gateways for the two upstream links from both ISPs. Both gateways are marked as "up."
2. Configured a gateway group with the option "member down" so that if the first gateway goes down, traffic should switch to the second one.
3. Added the gateway group to the LAN any any rule in the firewall settings.
4. Implemented a DNS rule at the top of the LAN firewall rules to forward DNS traffic to the firewall.
5. Specified both gateways in the system settings.
However, when I disabled the WAN1 interface to test the setup, nothing seemed to work. My question is: Are my configurations correct, or did I miss something? Is disabling WAN1 the wrong way to test this setup?
Your guidance on troubleshooting or any suggestions for improvement would be greatly appreciated.
Quote from: Cipher on March 15, 2024, 11:47:04 PM
My question is: Are my configurations correct, or did I miss something?
To answer this question we need to know your setup ;) Please provide some screenshots.
Simply disabling WAN1 should work.
Thank you for your response.
I followed the steps outlined in https://www.thomas-krenn.com/de/wiki/OPNsense_Multi_WAN (https://www.thomas-krenn.com/de/wiki/OPNsense_Multi_WAN). However, the guide did not cover gateway switching, which I attempted by enabling and disabling it, but it did not resolve the issue.
In the gateway log, when I removed the cable, I encountered the following error repeatedly for about 10 minutes, but the switch did not occur:
2024-03-16T11:21:20 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:19 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:18 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:17 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:16 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:15 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:14 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:13 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:12 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:11 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:10 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:09 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:08 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:07 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:06 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:05 Warning dpinger Fiber 8.8.8.8: sendto error: 64
2024-03-16T11:21:04 Warning dpinger Fiber 8.8.8.8: sendto error: 64
Attached is a screenshot showing that my outbound rules are correctly configured.
Thank you for the update.
I configured the WAN2 gateway as the default gateway, and the internet is functioning properly. Ping and browsing are successful. Similarly, when setting WAN1 gateway as the default gateway, it also works fine.
Please find attached a screenshot showing the LAN rules configuration.
For what I can see there is no gateway given for default allow LAN to any rule.
Screenshot of gateway config is missing...
Quote from: tiermutter on March 16, 2024, 12:01:38 PM
For what I can see there is no gateway given for default allow LAN to any rule.
Screenshot of gateway config is missing...
sorry i see i've uploaded the wrong screenshot. the right screen has the gateway on group "WANGROUP"on the gateway instead of the default.
Ok, then gateway screenshot please. Gateways switching should be enabled.
... and a screenshot of firewall settings multi WAN section...
Thank you for your your support so far.
please see the below screenshot.
Quote from: tiermutter on March 16, 2024, 12:58:57 PM
... and a screenshot of firewall settings multi WAN section...
This one is missing, but looks good so far.
Quote from: tiermutter on March 16, 2024, 11:58:27 PM
Quote from: tiermutter on March 16, 2024, 12:58:57 PM
... and a screenshot of firewall settings multi WAN section...
This one is missing, but looks good so far.
Are you referring to the LAN rule?
If yes this has one the failover gateway group I created as it gateway.
Do you mean something else ?
I mean firewall/settings (adv. settings?). There is a section about multi WAN.
Quote from: tiermutter on March 17, 2024, 02:34:09 PM
I mean firewall/settings (adv. settings?). There is a section about multi WAN.
i never knew it been there al the time,
i've been working with opnsense for last 10 years.
see attached.
Looks everything fine so far... Now let's try setting up multi WAN without policy based routing...
Active the force gateway option and set WAN2 gateway to upstream. This should cause routing table to be used. If WAN1 is down, OPNsense will set WAN2 as default gateway, not using any gateway group. GW priority is already set correct for this.
Does this work?
Quote from: tiermutter on March 17, 2024, 05:49:05 PM
Looks everything fine so far... Now let's try setting up multi WAN without policy based routing...
Active the force gateway option and set WAN2 gateway to upstream. This should cause routing table to be used. If WAN1 is down, OPNsense will set WAN2 as default gateway, not using any gateway group. GW priority is already set correct for this.
Does this work?
I lost you in this part.
Wan gateway is the up stream right now.
Do you mean wan2 gateway configured it as upstream gateway too ? Or remove the wan gateway as upstream gateway and replace it with wan 2?
Configure both as upstream. This causes OPNsense to use both for upstream according to priority. It will always use the GW online with higher priority, though there is no need for GW groups, but you can leave GW groups and firewall rules as they are.
Quote from: tiermutter on March 17, 2024, 07:19:36 PM
Configure both as upstream. This causes OPNsense to use both for upstream according to priority. It will always use the GW online with higher priority, though there is no need for GW groups, but you can leave GW groups and firewall rules as they are.
So on the lan firewall rule keep using the default gateway or the use the gateway group I used ?
So WAN gateway and WAN2 gateway as upstream GW, but GW 1 with low numbers so it will be high priority and used for the up stream.
If I do so the Wireguard tunnel will remain working ?
You can leave gw group for that rule, the 'disable force gateway' option will override that, so don't care about it.
Yes, lower number for WAN1 ia higher priority.
First time I hear about a WG tunnel, but it should not be affected.
Quote from: tiermutter on March 17, 2024, 08:05:18 PM
You can leave gw group for that rule, the 'disable force gateway' option will override that, so don't care about it.
Yes, lower number for WAN1 ia higher priority.
First time I hear about a WG tunnel, but it should not be affected.
Thank you for your answer.
i have followed up those steps unfortunately it didnt force the switching when WAN1 was cable was remoed.
i remeber me strugling with this couple of years ago. but i give up using it.