Automatic dual-WAN failover on OPNsense (fibre + 5G)
A single internet line is a single point of failure. One outage mid-call, mid-upload, or
mid-exam and you're stuck reconnecting by hand. So I set up a second line that takes over
on its own: fibre as the primary link, 5G as the backup. When fibre dies, traffic moves to
5G in seconds; when fibre comes back, it switches back.
This is pure failover, not load balancing — one line carries everything, the other
waits. Here's the full setup. It assumes both WANs are already configured as interfaces
(mine: fibre on WAN, 5G on OPT1).
1) Gateways — System ▸ Gateways ▸ Configuration
Give each gateway a distinct, external monitor IP. This is what makes failover
actually trigger. I use:
- fibre → 1.1.1.1
- 5G → 8.8.8.8
Keep gateway monitoring enabled. Without separate monitor IPs, OPNsense can't tell that
one link is down, and the failover never fires.
2) Gateway group — System ▸ Gateways ▸ Group ▸ Add
- Name: GW_FAILOVER
- Fibre = Tier 1
- 5G = Tier 2
- Trigger Level: Member down
"Member down" means it only jumps to 5G once the fibre gateway is declared dead — exactly
what you want for a clean primary/backup split.
3) The LAN rule — Firewall ▸ Rules ▸ LAN (the step most guides forget)
Edit your "allow LAN to any" rule (or add one at the top). In Advanced, set:
- Gateway → GW_FAILOVER
This is the step that activates policy-based routing. Without it, your LAN traffic ignores
the group entirely and the failover does nothing. If you take one thing from this post,
take this.
4) Outbound NAT — Firewall ▸ NAT ▸ Outbound
Automatic mode already covers both interfaces. If you run Hybrid/Manual, make sure there's
an outbound NAT rule for both fibre and 5G, or traffic over the backup won't be
translated.
5) DNS
Local Unbound resolves fine. If you forward to your ISP's resolver, switch it to 1.1.1.1 /
8.8.8.8 in System ▸ Settings ▸ General, so you don't stay tied to the fibre's DNS when the
fibre is the thing that's down.
Testing it — for real
Don't trust it until you've broken it. Physically unplug the fibre and time the cutover.
With "Member down", expect roughly 5–10 seconds before 5G takes over. Plug it back in and
confirm it returns to fibre.
What survives the switch (and what doesn't)
The cutover is a few seconds, and active TCP sessions break — the connection drops and
re-establishes on the new path. Anything where the session lives in a token rather than the
IP (most HTTPS web apps) survives a page reload without losing state. Long-lived streams
take the hit. Plan accordingly.
Notes
- 5G behind CGNAT is fine here: no inbound connections needed, this is outbound failover.
- Be honest about scope: this is link-down failover, not SD-WAN. There's no
real-time path selection by latency/jitter/loss and no central orchestration — it
switches when a link is declared down, which is what most homelabs and small offices
actually need.
Hardware note: I ran this on a second-hand, fanless appliance with no video output
(serial-console install only), but the failover config above is identical on any
OPNsense-compatible box.
Happy to answer questions — and if you genuinely pull the cable to test, tell me your
cutover time. :)