Text only | Text with Images

OPNsense Forum

English Forums => 25.7, 25.10 Series => Topic started by: artkz on November 14, 2025, 04:37:58 PM

Title: Policy routing for firewall itself
Post by: artkz on November 14, 2025, 04:37:58 PM
Hi all,

I have a use case to route connections from OpnSense itself via a specific VPN gateway if the destination is a specific ASN (Cloudflare).

For example, if I wanted to make sure that a command executed inside SSH such as

Code Select
wget https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.7/latest/packagesite.pkg
would be routed through wg0.

This is easy enough to accomplish for packets originating on LAN and other interfaces, but packets originating on OPNSense itself seem to go directly to WAN as OUT.

IN floating rule does not match traffic and OUT rule matches traffic, but if I set a different gateway on an OUT rule, connectivity to destination IPs is lost (which makes sense).

Workaround by creating static routes works, but static routes cannot be linked to an alias, which makes creating a route for every CloudFlare IP range impractical without a script, and this feels too much like a hack. 

Any suggestions or anything I am missing here? 

Closest match I could find to a similar question is here https://forum.opnsense.org/index.php?topic=41506.0 (https://forum.opnsense.org/index.php?topic=41506.0), but seems without a successful resolution. 

Title: Re: Policy routing for firewall itself
Post by: Monviech (Cedrik) on November 14, 2025, 05:38:45 PM
Traffic that is generated from loopback should skip PF rules, meaning it only follows the systems routing table.

https://github.com/opnsense/core/issues/8009

Thus trying to influence it with PF - I imagine - will not do anything.

Though you could use os-frr and install routes via Zebra in an automated fashion by using a routing protocol like BGP or OSPF.

These are just assumptions I didnt test any of this.

Title: Re: Policy routing for firewall itself
Post by: Maurice on November 14, 2025, 11:59:40 PM
Policy routing for traffic originating from OPNsense itself works (with an "out" rule). The issue is source address selection, which happens before policy routing kicks in:

- The IP address of your primary WAN interface gets selected as the source address (because WAN has the default route).
- The policy routing rule routes matching packets to the wg0 gateway.
- The wg peer discards these packets because their source address (your WAN address) isn't an 'allowed IP'.

Workaround: Add an outbound NAT rule to the WAN(!) interface:
- Destination address: The alias you created.
- Translation target: wg0 address

Cheers
Maurice
Text only | Text with Images