Hi all,
I'm running a pilot OPNsense deployment on bare metal and encountered a problem related to LAN access.
Setup:
- LAN interface with a static IP and an upstream gateway (external router)
- WAN1 and WAN2 in different VLANs with static public IPs and gateways
- Web UI is accessed via the LAN interface
- LAN needs to route traffic through its own upstream router, not through WAN
Issue:
As soon as I assign a default gateway (e.g., WAN1) under System → Routing → Gateways, access to the Web UI over LAN breaks.
Even with a firewall rule like:
Source: LAN net
Destination: This firewall
Gateway: default or specific
Advanced: Disable reply-to → enabled
...the connection is lost.
Tried:
Removing all default gateways — Web UI becomes reachable again
Adding a static route for the LAN subnet via the upstream LAN gateway
Testing different firewall rule orders and combinations
pfctl -d does not restore access
Goal:
I want to maintain stable access to the Web UI via LAN (which routes through its own upstream router) while still having a default gateway active on WAN for general internet access.
Is there a correct or recommended way to achieve this in OPNsense?
Thanks in advance!
Quote from: skb1 on July 25, 2025, 10:11:12 AMAs soon as I assign a default gateway (e.g., WAN1) under System → Routing → Gateways, access to the Web UI over LAN breaks.
You access the Web UI from a LAN device or from outside?
Access from the LAN subnet should be possible at all. If that's not working check the network settings on the involved devices.
You need a default gateway. It needs to be for your WAN interface. WAN is the OPNsense upstream interface, not LAN.
You need a gateway for your LAN interface. Its IP address needs to be the SVI address of the corresponding subnet. Do not mark it as an upstream interface. It is not an upstream interface as far as OPNsense is concerned. I also mark it as down and disable its monitoring to avoid any surprises. OPNsense is this kind of product that wants to be everything on your network and some of its default setting or wording of it are difficult to digest if you want to use it differently.
You need those static routes to your LAN subnets. All of them! Actually to interface my routing switch with OPNsense, I use a subnet that is in a different IP range that my LAN network. This makes it possible to use just one summary static route with /16 instead of multiple /24.
Of course, you need to have adequate firewall rules. Start with allow ANY to ANY and, once you make it work, set them up according to your requirements.