Hi,
after getting a FTTH connection at home I decided to go for a OPNsense based router and am pretty unexperienced with OPNsense.
I have a routing / GW problem though and can't seem to wrap my head around this nor find any clear answer, so hopefully someone here can point me in the right direction.
I have two sets of credentials from my ISP for two pppoe connections, which are established on the same physical interface and same VLAN.
The reason for this is that one pppoe session is for a 'standard' connection and the second one is for optional extra features (i.e. a static public IPv4 address).
For both connections I get the same GW IP address (100.68.0.1), but only one of the connections is assigned with a route to the GW.
I set up internal VLANs and want to force specific VLANs to send (and receive) traffic to the internet via the one or other pppoe session, but outgoing traffic seems only possible on one of the two at a time.
When one pppoe session is established, for the second one I see the following error in my logs:
/usr/local/etc/rc.configure_interface: The command '/sbin/route add -'inet' '100.68.0.1' -interface 'pppoe1'' returned exit code '1', the output was 'add host 100.68.0.1: gateway pppoe1 fib 0: route already in table'
Well, in this case this is somewhat true; I do have a route to 100.68.0.1 already, yes - but it's on the pppoe0 interface and pppoe1 is left without any routing entries.
After some reading I found multiple mentions of the possibility to circumvent the system routing table by enforcing a specific GW in firewall rules, but whatever traffic I try to get out to the internet over the pppoe session that comes up second doesn't seem to go anywhere whatever I try.
I already tried to experiment with the options 'Default gateway switching', 'Sticky connections', 'Disable force gateway', 'Disable reply-to' and various settings in the firewall rules without any success.
I'm running OPNsense 25.1.12 .
Since I can't figure out how to get both connections functional at the same time and/or get policy based routing up and running, I came here looking for help.
What options need to be set/unset in this case, how should the gateways be set up?
Is there any documentation that I may have overlooked or not found?
If needed, what configuration or logs should I provide? (How should I export/extract those and upload here?)
Peter
Hi Peter,
> Well, in this case this is somewhat true; I do have a route to 100.68.0.1 already, yes - but it's on the pppoe0 interface and pppoe1 is left without any routing entries.
Which is the root of the problem: it's a single routing table and cannot have the same destination twice.
These 2-WANs-from-the-same-ISP scenarios are known problems when they connect to the same gateway behind.
Cheers,
Franco
Hi Franco,
that wasn't what I hoped to hear, but somehow anticipated it...
Do you have any suggestions how I could force one pppoe session to always be the active default route?
Whatever traffic arrives on the second is replied to on the same pppoe session, and so I could live with only one (and same) session for outgoing traffic/connections.
I also could move one pppoe session to a different physical interface, but I don't think this will improve the situation or give me more/other options, would it?
Or is moving the second connection to a different VM or machine my only option here?
Peter
Just an idea to try get it working at least out of our internal (V)LANs. For me this looks very similar as the dual WAN setup I am running.
As I understand you should already have 2 WAN interfaces and 2 Gateways for your two uplinks.
In my case I also have created Gateways Group to have different failover and load balancing scenarios available to choose in Firewall rules.
Not sure if this is still needed, but I have configured the Outbound NAT manually for the internal source network and for both WAN1 + WAN2 interfaces (based on what the Automatic was). So each WAN interface has set the dedicated WAN address (you can use the existing "WAN1 address" alias) for the "Translation / target".
Then in the Firewall Rules of the LAN I have some dedicated rules for some internal systems (as source) with Gateway (group) failover_1 (fist Fiber, then Cable) or failover_2 (first Cable, then Fiber). And after that is a global rule which allows LAN net out over Gateway loadbalancing (will use either Fiber or Cable for each connection).
Good luck with testing that out, but based on what I think, this may even work in your setup.
Hi Fabian,
what you suggest works (i.e. I have internet access) as long as I configure both WAN gateways as failover.
But only one gateway has a route at a given time, so the other one is technically unusable.
This defeats what I want to achieve, since I want to do policy based routing and therefore need both gateways functional at the same time.
Failover is pretty much pointless for me, since both WAN interfaces connect to the same ISP via the same physical interface (and cables).
I could settle for forcing the default route / active gateway to be always the same and use one WAN interface just for incomming connections, but right now I can't find a way to make sure one defined gateway stays active and has the default route all the time.
My ISP does a forced disconnection every 24 hours and this makes causes one of the gateways to become the active one randomly, even with the option 'allow default gw switching' disabled.
If I enable default gw switching I can reconnect the 'wrong' session manually which will make the other active, but I have to do this manually on a daily basis...
But thank you very much for trying to help me and sharing your configuration hints!
Thinking it through again, I guess you should be fine with creating only one Gateway, as it really is only one. But I am not sure if you will be able to select the same Gateway for both your WAN (aka PPPoE) interfaces. But I guess that should work.
With checking some settings on my end, I have discovered that in my dual WAN setup I have set "IPv4 gateway rules" to disabled in the WAN settings. It may be useful in your case as well, or not, you have to try.
With only one Gateway, you still will be able to create manual Outbound NAT rules, to work for your case. As you can setup NAT rules with the Interface, Source and NAT Address you should be able to route outbound traffic properly, e.g with something like this:
| Interface | Source | NAT Address |
| PPPoE1 | 10.10.10.0/24 | PPPoE1 address |
| PPPoE2 | 10.10.20.0/24 | PPPoE2 address |
| PPPoE2 | 127.0.0.0/8 | Interface address |
So now traffic out of LAN1 (10.10.10.0/24) will use the IP address of your standard PPPoE connection, and out of LAN2 (10.10.20.0/24) will use the IP address of your static IP PPPoE connection. The 127.0.0.0/8 rule is so that the OPNsense itself is able to create outbound connections.
In this case I think it should work and you do not need to assign a Gateway in the firewall rules.
So you are using the manual NAT Outbound rules to decide which public / WAN IP address an internal networks will use.
I guess this should also work with Port Forward, in case you need this.
Hello Fabian,
thanks a lot, this sounds just like what I am trying to achieve.
Where exactly is that "IPv4 gateway rules" option you refer to, I can't seem to find it anywhere.
I have turned on "Disable force gateway" in the Firewall -> Advanced section, but I think that is not what you meant?
Looking for that option I found "Failback states" in the gateway configuration which is supposed to delete the states on a gateway if another one with higher priority becomes available.
This wasn't enabled for my second gateway (which I already set to lower priority without any noticeable effect) and after testing it, the gateway is marked as Offline with a red plug symbol.
The second ppp session is active however and I can establish connections via my static IP.
So maybe that was what I missed to get the priorities working, but I'd still like to explore your suggestion, since outgoing connections on the second ppp session still seem impossible...
Quote from: pgzh on August 26, 2025, 11:57:59 PMWhere exactly is that "IPv4 gateway rules" option you refer to, I can't seem to find it anywhere.
It may be that this option is not available when using PPPoE. In my case it is an Ethernet WAN with static IP address and this setting is in the
"Static IPv4 configuration" section.
But this was only one idea, the probably more working idea is the second one, with only one Gateway for both PPPoE interfaces (uplinks) and doing the outbound routing through the manual NAT rules.
Hope this helps and may work.