Text only | Text with Images

OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: jlficken on October 24, 2025, 05:21:24 AM

Title: Tagging traffic in OPNsense based on policy actions?
Post by: jlficken on October 24, 2025, 05:21:24 AM
Is this possible as it's something I used a lot in Untangle so that I could send say BitTorrent traffic out over a VPN without having to know the clients IP beforehand?

I'd tag the traffic and then Tunnel VPN would look for that tag and send the traffic out over an established tunnel.
Title: Re: Tagging traffic in OPNsense based on policy actions?
Post by: sy on October 26, 2025, 10:00:27 PM
Hi,

Zenarmor does not route specific traffic to designated destinations. Have you consulted this with OPNsense topics?
Title: Re: Tagging traffic in OPNsense based on policy actions?
Post by: Seimus on October 26, 2025, 10:55:32 PM
ZA is a NGFW/IPS/IDS, its function is to inspect and understand traffic and/or patterns. Routing as such is done on OPNsense.

what do you mean by tagging? How to you TAG the traffic? Where do you TAG it?

Regards,
S.
Title: Re: Tagging traffic in OPNsense based on policy actions?
Post by: jlficken on October 27, 2025, 04:42:00 PM
Quote from: Seimus on October 26, 2025, 10:55:32 PMZA is a NGFW/IPS/IDS, its function is to inspect and understand traffic and/or patterns. Routing as such is done on OPNsense.

what do you mean by tagging? How to you TAG the traffic? Where do you TAG it?

Regards,
S.

In Untangle it's under the Events application that you can tag hosts when the traffic matches a specific criteria:
(https://nextcloud.fstech.ltd/s/pqDGwcqs5Qjq7SD/preview)
(https://nextcloud.fstech.ltd/s/kG6YSR45nfa5XXz/preview)

Then you go over to the Tunnel VPN application and create a rule to route that traffic over a specific tunnel (or any available tunnel) based off of the tag that was assigned in the above step.
(https://nextcloud.fstech.ltd/s/HfxSZj3YjfnnLcM/preview)

You can route/block traffic in OPNsense using tags as well as I use that for the WireGuard Killswitch with a firewall rule that tells the traffic to go over the WireGuard tunnel (based on IP) sets a local tag of NO_WAN_EGRESS and then the KillSwitch rule checks for that tag and blocks the traffic if the Destination is the WAN rather than a tunnel.

I just don't see a way to have something like Zenarmor set a tag so that I can do something like Untangle does.

Title: Re: Tagging traffic in OPNsense based on policy actions?
Post by: sy on November 03, 2025, 12:19:16 PM
Hi,

Thanks for the details. I will forward your feedback to the product team.
Title: Re: Tagging traffic in OPNsense based on policy actions?
Post by: jlficken on November 04, 2025, 03:07:26 AM
Quote from: sy on November 03, 2025, 12:19:16 PMHi,

Thanks for the details. I will forward your feedback to the product team.

No problem and thanks!

If you need anything else let me know as I left the VM running after moving to OPNsense as I still have 4.5 years left on my license.

This ability would make me completely forget about Untangle as it'd make OPNsense equal to or better than Untangle in every meaningful way plus Arista is a horrible company.
Text only | Text with Images