Topics

I recently upgraded to 25.7 and things have been mostly fine.

My setup is:

- WAN uplink to broadband modem
- WAN uplink to Starlink

I have multi-WAN rules setup to push my work traffic out my Starlink WAN primarily.  It involves an alias with my work's Wireguard target endpoints, and I push anything bound to them to the Starlink WAN.  Everything else in the house defaults to the broadband WAN uplink.  When either link fails, the traffic is configured to failover to the other WAN.

After upgrading to 25.7, when my Starlink WAN uplink fails, traffic isn't properly failing over.  Also, when the Starlink WAN comes back up, the traffic isn't failing back at all.  All my Wireguard tunnels stay down.  This is using either UDP or TCP.  I have to reboot my OPNsense box to unwedge things.

This does seem like a regression in 25.7 with multi-WAN.  I'm happy to provide configs or logs to help debug, or try patches.  Just let me know how I can help!

I have a multi-WAN setup with two uplinks (one to broadband, one to Starlink).  I have rules in place to split traffic between them, home traffic to broadband, work traffic to Starlink.  Works great still.

Note to all of this: this setup with my gateway groups and all my firewall rules have been running fine since the previous major release, and this major release.

What I'm seeing though is the link health check will kick in sometimes because Starlink will have a hiccup, and will fail the link and initiate failover in the gateway group.  What won't happen is the piece monitoring for the Starlink side of things to come back up won't bring up that interface again.  I have to log into the UI and toggle off the interface my Starlink is plugged into, Apply, and then toggle on and Apply to turn the interface back on.  Then poof, link is back and we're happy.  I've tried power cycling my Starlink router (it's in bridge mode) and that has not helped.

Worth noting that I tested bringing my broadband link down, and the same thing happens.  I have to manually toggle the port for the gateway to be brought back online.

I seem to recall right after the 24.7 rollout that some folks were having issues with getting the links back up on a failover scenario.  I had different problems (since resolved) so I never paid attention to it.  But it does seem like there is still an issue here.

Happy to try anything or share any details of my config if anyone is willing and able to help debug.

I recently upgraded to the 24.7_9 release from 24.1. My Unbound DNS thread today stopped working, with my local clients getting a DNS server failure when trying to resolve things not locally cached.  I restarted the Unbound DNS service from the GUI, and everything seems ok now.

I don't see anything in the log files that would indicate a problem, it just seemed to have hung.

Any ideas to help gather info, I'm happy to provide.  Also, if there's a way to monitor this like Monit or something that can then be used to restart it, I'm happy to try that out too.

I have a setup with two WAN uplinks, and I've had routing/firewall setup with two gateway groups to split traffic and support failover.  It looks like this has broken again since the upgrade?

What I have is on OPT1, which is where all my LAN traffic comes into, I have two firewall rules, in this order in the GUI:

- Incoming to OPT1, destination to an IP group (set of destination IP's) => gateway group 2
- Incoming to OPT1, destination to anywhere => gateway group 1

I made sure to check the gateway groups that they're prioritized correctly.

What I'm seeing is the first rule doesn't seem to be hit, which it was pre-upgrade.  Now what is perplexing is this did work on the initial upgrade, but since the hotfix to 24.7_9, it appears broken.  I've tried disabling the rules and re-enabling them, moving them around, all with "Reapply" in between.  I've also tried rebooting, nothing is working.

Curious if anyone else is seeing similar issues and have any ideas how to resolve.

I have a multi-WAN setup with two ISPs, which has been running for about 2 years on 23.x.  I hadn't noticed this issue after upgrading to 24.x, since my Starlink has been stable.  Recently, it was bouncing around for some cosmic reason.

My setup is two groups, where I split work traffic to one uplink (with failover set to the other uplink), and the rest of the home traffic to the other uplink (with failover set to the other uplink).  Failover seems to work fine, sort of, but failback doesn't.  I either have to reboot the firewall, or I make some change to the Firewall rules, or Gateway config, and then return it to the original config, and Apply.  That seems to reapply the setup.  But something definitely changed between 23.x and 24.x with the automatic failover.

I'm hoping someone has insight why this failback seems to be broken.  If it's a known issue, I couldn't find anything in forums.  Or if it's something I can provide additional info on, let me know.

I currently got my multi-WAN configuration running.  Each WAN uplink is to a separate ISP, and have separate physical ports on the box.

I have selected "Member Down" as the trigger in the gateway group to fail over to the second WAN.  What is happening is my latency spikes on my one gateway when it's saturated/under load, and it eventually fails over due to high latency (blow past the high water mark).  But the packet loss is still 0.0% as reported by OPNsense.  It seems no matter what I set it to, it is always marking the gateway failed due to high latency.

Anyone else have thoughts on how to tweak this to truly trigger on packet loss?

Hello,

I've recently deployed a new OPNsense firewall into my home network.  I have a somewhat complicated setup at home, which I'll describe below.  But my overall question is I'm trying to push all outbound traffic from my home network that is headed to my work's WireGuard endpoints through one WAN uplink, and the rest of the home network traffic out the other WAN uplink.

My setup is mainly a Google WiFi mesh network that connects to the OPNsense into the LAN port (diagram attached).  That does create a double-NAT, which isn't a huge deal, since I have a DMZ on VLAN20 to port-forward anything important through.

The issue though is I'm trying to filter any traffic coming into the LAN port (from the Google WiFi) that has a destination of my work's WireGuard endpoints, and pushing it into one of the specific gateways (specifically the Starlink).  I already have gateway groups configured for failover, and that works great.  But right now I'm just trying to policy-route the traffic headed for specific WireGuard endpoints outside of my network.

Trying to Google around for this always brings me to pages covering how to configure WireGuard on my OPNsense, which is not what I want to do here (I already have that).

I've attached a rough sketch of my network setup, and then a screenshot of my Firewall Rules for the LAN interface.  Note that the Alias I used in the Starlink rule is a collection of the endpoint hostnames which all resolved correctly via DNS.  Any and all help is greatly appreciated.