Text only | Text with Images

OPNsense Forum

English Forums => 26.1 Series => Topic started by: rolsch on April 12, 2026, 05:39:33 PM

Title: 25.x.x to 26.x.x: Floating-Rule don't work (VPN traffic to second WAN-IF !!!)
Post by: rolsch on April 12, 2026, 05:39:33 PM
Hi.

I upgrade from v25.x.x -> v26.x.x, now a well worked FL-rule don't work.

The rule was migrated from floating-rule to a interface-rule

Policy-Routing/Floating-Regel
IF=WAN_igc1, pass, dir=out, Source any, Destination die VPN-IP als Alias, Port any, Protokoll UDP, Gateway: WAN_IGC1_GW

rule-export
Code Select
10113c75-838e-4d0b-9bf7-9cc8ba4600bf;1;keep;;6;pass;1;0;wan;out;inet;any;;;any;0;;MyVPNProvider;0;;;WAN_IGC1_GW;;0;1;0;0;0;;;;;;;;;;;;;;;;;;;;;0;;;;;;"MyVPNProvider"

Background:
I have two WAN-interfaces, all VPN traffic should go over the gateway WAN_IGC1_GW

GW1: OPT3_PPPOE0_PPPOE (active)
GW2: WAN_IGC1_GW

I think the rule handling was changed in v26.x.x

Any hints for me?

See: https://forum.opnsense.org/index.php?topic=46026.msg264546#msg264546
Title: Re: 25.x.x to 26.x.x: Floating-Rule don't work (VPN traffic to second WAN-IF)
Post by: Patrick M. Hausen on April 12, 2026, 05:48:47 PM
Decision if a rule is floating or interface based is now automatic based on the number of interfaces selected in the rule. A rule with just a single interface can never be floating in the new system. This removes the implicit priority of "floating before interface based". So you probably best move the rule to the set of interface rules and there place it at the top so it is evaluated first like it would if it was floating.
Title: Re: 25.x.x to 26.x.x: Floating-Rule don't work (VPN traffic to second WAN-IF)
Post by: rolsch on April 14, 2026, 03:32:34 PM
The rule "MyVPNProvider" is at the top but all VPN Traffic goes over GW1: OPT3_PPPOE0_PPPOE (active) and not the WAN_IGC1_GW - 192.168.2.1

(https://www.pasteboard.co/6KMF6YyaZqb1.png)
https://www.pasteboard.co/6KMF6YyaZqb1.png

Code Select
10113c75-838e-4d0b-9bf7-9cc8ba4600bf;1;keep;;6;pass;1;0;wan;out;inet;any;;;any;0;;MyVPN_Provider;0;;;WAN_IGC1_GW;;0;1;0;0;0;;;;;;;;;;;;;;;;;;;;;0;;;;;;MyVPNProvider

So i think traffic from the firewall it-self (OpenVPN in Client Mode)  can not catched with policy-based-rules on the WAN interfaces.
- at OPENsense 25.x.x works this feature...

I solved this issue - not nice to handle but it works.
- created an static route: System-Routes-Configuration

*** Any other solutions for this behavior are welcome! ***

[Feature-Request]
- handle ALIAS-entrys System-Routes-Configuration in the field "Network Address"
- why: the VPN Provider has DNS-Names for the Server and the IP changed sometime...
Text only | Text with Images