OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: gilau on November 04, 2017, 10:38:06 am

Title: where is switch gateway
Post by: gilau on November 04, 2017, 10:38:06 am

I have used pfsense so far but now I want to try OPNsense.
I have 2 wan connections. For a part of network (192.168.1.x-192.168.1.x+50) DHCP users I need to force them to use ISP2 and all know MAC to use ISP1 (except the situation when one isp is down).
In pfsense I have set a firewall rule with specific gateway and I found there is in [miscellaneous] a setting - [allow switching gateway] to check.
In OPNsense there is a setting like this?
In OPNsense should I set a new rule for DNS?

Also in pfsense I have used group gateways for failover

GWGRP1    ISP1 tier1 ISP2 tier2 - for known macs - main network
GWGRP2    ISP2 tier1 ISP1 tier2 - for dhcp for phone tabets so
firewall rule for dhcp with gateway GWGRP2

Can anyone to help me with some short explication how to set failover gateways?

thank you very much!!!
Title: Re: where is switch gateway
Post by: robvh on November 04, 2017, 11:31:05 am
I use "Firewall: Settings: Advanced: Skip rules" for this purpose.  A rule forces traffic from specific clients into a gateway, unless the gateway is down.

Title: Re: where is switch gateway
Post by: Oxygen61 on November 04, 2017, 03:17:59 pm
Hi gilau,

in OPNsense you can find the same settings, but they are located somewhere different.

If you want to use a specific gateway for your rules you can do that:
Firewall > Rules > LAN (for example) > "+" > scroll down >
change Gateway "default" to the Gateway you wish you want to use

This will then allow traffic ONLY when the traffic is going to be send through the gateway set there.
In terms of Failover Gateway, you can create a Failover Gateway with your both ISP Connections and then use this "Failover Gateway" as a gateway in your rules instead.
Internal Traffic Firewall rules though (Traffic from a LAN to another subnet where your DNS Server resides) should use the "Default" setting in your Firewall rules.

Every Multi-WAN Setting, which needs to be looked at or changed can be found here:
Firewall > settings > Advanced > Gateway Monitoring and Multi-WAN

In OPNsense should I set a new rule for DNS?
Sure since your Subnets will need to talk to your DNS. If your corporate LAN has a DNS Server, which can be used you can make a rule with "default" gateway set, which allows UDP/TCP Traffic to this specific DNS Server IP using port 53. In case you don't have a valid DNS Server in your net, you can aswell let OPNsense do all the DNS resolving via Unbound or DNSmasq DNS Deamon. This would then mean that your rules must be changed to allow UDP/TCP Traffic with port 53 to the firewall Gateway IP address of this specific Subnet.

Failover Gateway configuration:
For failover gateways you can build them here:
System > Gateway > Group
You will then be able to select different tiers for your Gateways, where tier 1 means "best" and tier 2 means "2nd best" gateway to be used. The apinger daemon of OPNsense will then automatically change these gateways and monitor them wether there is high latency, packet loss or member down events occuring.

For more and better explanation please check out the following tutorial/how-to:

best regards,
Title: Re: where is switch gateway
Post by: gilau on November 04, 2017, 06:17:42 pm
Oxy, thank you so much!!