Hi all,
I'm running a pilot OPNsense deployment on bare metal and encountered a problem related to LAN access.
Setup:
- LAN interface with a static IP and an upstream gateway (external router)
- WAN1 and WAN2 in different VLANs with static public IPs and gateways
- Web UI is accessed via the LAN interface
- LAN needs to route traffic through its own upstream router, not through WAN
Issue:
As soon as I assign a default gateway (e.g., WAN1) under System → Routing → Gateways, access to the Web UI over LAN breaks.
Even with a firewall rule like:
Source: LAN net
Destination: This firewall
Gateway: default or specific
Advanced: Disable reply-to → enabled
...the connection is lost.
Tried:
Removing all default gateways — Web UI becomes reachable again
Adding a static route for the LAN subnet via the upstream LAN gateway
Testing different firewall rule orders and combinations
pfctl -d does not restore access
Goal:
I want to maintain stable access to the Web UI via LAN (which routes through its own upstream router) while still having a default gateway active on WAN for general internet access.
Is there a correct or recommended way to achieve this in OPNsense?
Thanks in advance!
Quote from: skb1 on July 25, 2025, 10:11:12 AMAs soon as I assign a default gateway (e.g., WAN1) under System → Routing → Gateways, access to the Web UI over LAN breaks.
You access the Web UI from a LAN device or from outside?
Access from the LAN subnet should be possible at all. If that's not working check the network settings on the involved devices.
You need a default gateway. It needs to be for your WAN interface. WAN is the OPNsense upstream interface, not LAN.
You need a gateway for your LAN interface. Its IP address needs to be the SVI address of the corresponding subnet. Do not mark it as an upstream interface. It is not an upstream interface as far as OPNsense is concerned. I also mark it as down and disable its monitoring to avoid any surprises. OPNsense is this kind of product that wants to be everything on your network and some of its default setting or wording of it are difficult to digest if you want to use it differently.
You need those static routes to your LAN subnets. All of them! Actually to interface my routing switch with OPNsense, I use a subnet that is in a different IP range that my LAN network. This makes it possible to use just one summary static route with /16 instead of multiple /24.
Of course, you need to have adequate firewall rules. Start with allow ANY to ANY and, once you make it work, set them up according to your requirements.
Quote from: viragomann on July 25, 2025, 04:34:40 PMQuote from: skb1 on July 25, 2025, 10:11:12 AMAs soon as I assign a default gateway (e.g., WAN1) under System → Routing → Gateways, access to the Web UI over LAN breaks.
You access the Web UI from a LAN device or from outside?
Access from the LAN subnet should be possible at all. If that's not working check the network settings on the involved devices.
Thank you!
Quote from: Strator on July 25, 2025, 07:48:33 PMYou need a default gateway. It needs to be for your WAN interface. WAN is the OPNsense upstream interface, not LAN.
You need a gateway for your LAN interface. Its IP address needs to be the SVI address of the corresponding subnet. Do not mark it as an upstream interface. It is not an upstream interface as far as OPNsense is concerned. I also mark it as down and disable its monitoring to avoid any surprises. OPNsense is this kind of product that wants to be everything on your network and some of its default setting or wording of it are difficult to digest if you want to use it differently.
You need those static routes to your LAN subnets. All of them! Actually to interface my routing switch with OPNsense, I use a subnet that is in a different IP range that my LAN network. This makes it possible to use just one summary static route with /16 instead of multiple /24.
Of course, you need to have adequate firewall rules. Start with allow ANY to ANY and, once you make it work, set them up according to your requirements.
Thank you!! We've done just like that. But i wouldn't say that this is okay and that this is comfort way to work with OPNsense)
Quote from: skb1 on August 08, 2025, 11:12:34 AMBut i wouldn't say that this is okay and that this is comfort way to work with OPNsense
What do you mean? This is exactly how it is supposed to work. That's networking basics, really.
Your single default gateway always points to "the Internet". For any internal networks that might be behind an internal gateway, you need a static route. Every router works that way.
By default every router, FW; any device capable routing consists only from:
A. Directly attached networks
B. Default route
A. Directly attached networks
these are your RFC1918 networks mostly, e.g networks you configure as Interfaces on your Device e.g LAN 192.168.1.1/24 (subnet 192.168.1.0/24 ). This will create a Directly attached route pointing to the Interface LAN
B. Default route
is the 0.0.0.0/0 which sends all the traffic that didn't match any more specific route to the configured GW
By default to route traffic From LAN to WAN, and WAN to LAN these two routes are all you need. If there is a traffic for destination example 10.10.10.10/24, but the device doesn't have any route for it, it will be catched by B. Default route cause there is no more specific route.
As mentioned by the others "these are networking basics".
Regards,
S.