Hey,
I am fairly new to networking and also to OPNsense, and I'm currently tasked with creating a Stack and a DMZ. The goal is that the DMZ can only send specific traffic on desired ports (like 53 for DNS, LDAP, etc.), and there will also be a reverse proxy for controlled internet access.
The design of the DMZ and the Stack is not my current concern
But first the Network setup
City A is my internal network (on-site, where I work) with the subnet 10.140.0.0/22.
This connects through a WireGuard tunnel using the 10.53.0.0/24 subnet to a second network in City B, which uses the subnet 10.5.0.0/23.
So basically: City A → City B
traceroute to 10.5.0.10 (10.5.0.10), 64 hops max
1 10.140.2.1 0,702ms 0,570ms 0,587ms
2 10.53.0.1 23,777ms 29,882ms 24,067ms
3 10.5.0.10 23,750ms 23,649ms 23,583ms
City B to City A
traceroute 10.140.2.166
traceroute to 10.140.2.166 (10.140.2.166), 30 hops max, 60 byte packets
1 10.5.0.1 (10.5.0.1) 0.208 ms 0.193 ms 0.187 ms
2 10.53.0.2 (10.53.0.2) 25.226 ms 25.218 ms 25.206 ms
3 10.140.2.166 (10.140.2.166) 25.195 ms 25.182 ms 25.171 ms
The subnet 10.5.0.0/23 in City B runs on a Proxmox server.
The address 10.5.0.1 is assigned to my OPNsense firewall (FW-A), which controls traffic within the Proxmox cluster. This firewall uses a virtual interface bridged to Proxmox's physical interface (eno1). That interface handles both the internal network (10.5.0.0) and WAN connectivity.
On FW-A, I've created a new interface called MStack, with the IP address 10.100.4.254.
I then added a gateway for that interface: 10.100.4.1.
On the other firewall (FW-B), there's a LAN interface with IP 10.100.4.1, and the gateway to reach the 10.5.0.0/23 subnet is set to 10.100.4.254.
FW-B also uses the vmbr0 bridge but is VLAN-tagged with 104 — the same VLAN tag as the MStack interface.
The Problem:
I was told that in this kind of setup, a static route is not needed, because both firewalls are on the same Proxmox cluster. However, I'm running into issues:
- If I add a static route on FW-B, I can't reach it at all — no ping, no traceroute, no SSH.
- If I add a static route on FW-A, the connection also breaks. The only way to restore it is:
- Remove the static route
- Add the gateway directly to the MStack interface
- At that point, I can reach the network — but only via UDP and ICMP.
From what I understand, this is because of asymmetric routing.If I remove the gateway from the interface again, the connection still works. I've tried adjusting firewall rules but nothing helps — the only workaround that seems to work is creating a LAN rule on FW-B to disable TCP flag checks.
I'm not sure if this is a bug in the newer version of OPNsense, or if I'm simply misunderstanding routing concepts — especially around how interfaces and gateways interact within a virtualized environment like Proxmox.
OPNSense version FW-A
OPNsense 25.1.12-amd64
FreeBSD 14.2-RELEASE-p4
OPNSense version FW-B
OPNsense 25.7-amd64
FreeBSD 14.3-RELEASE-p1
Any advice on how to properly route this traffic and avoid asymmetric routing issues would be really appreciated. Also, is manually disabling TCP flag checks a bad idea long-term?
Thanks in advance!
Boris
I have not used the wireguard just yet, so let's just say i'll be of perhaps no help.
For past 30yrs of me working on/with fw's and ipsec, the fw device either just shoves the remote side nets into a matching tunnel, or, the fw device routes the remote side nets to a tunnel object (route statement). After that (so after ipsec on both ends) the fw then has to decide if the net is local (directly attached, so arp) or does it need a route for next hop. That's usually all a tunnel setup needs to have L3 working in terms of just moving packets.
But, wireguard is not ipsec, so will leave the mystery to you.