"
Unfortunately this last information I posted it is not useful...
Let me explain in details my problem. Maybe I am choosing the wrong way to build my Firewall rules.
In fact I an trying to migrate all my Firewall rules from my current Firewall ( Endian Firewall ) to OpnSense. And some concepts seems to be hard to migrate.
In my current Firewall I have a section in which all the allow rules are defined ( Firewall -> Outgoing traffic ). I define, for instance, the ports my LAN NET can used to make connections. No implicit route. Only a set of filter rules. The default is using my main WAN as the output link to Internet.
And I have another section ( Network -> Routing -> Policy Routing ) which I can define a rule for some cases where I need to explicit define another route to be used by some Desktops, usually I defined to use another WAN ( the secondary one or some special WAN ) different than the default. In other words, routing and firewall rules are different things and when I used a route to an another WAN all the firewall rules still active and functional.
In OpnSense I am now building the system this way:
1- I have two different WANs, so I configured a MULTI-WAN named "FAILOVER-WAN" and set my WAN1 as tier1 and my WAN2 as tier2
2-My "Firewall->Rules-Lan" have the rule "Default allow LAN to any rule" disabled. Therefore I must explicitly define the resources that are allowed to be used. For instance, I define a rule to allow the use o port 80 and 443. And the gateway of this rule is "FAILOVER-WAN". No matter which WAN is really active ( WAN1 or WAN2 ) the rule is valid. And in this case if my user try to use a FTP PORT 21 it will not be allowed.
3-But now I have a Desktop from my LAN NET that for some reason needs to use only the WAN2 link. Not the default first option of my "FAILOVER-WAN". No matter if the WAN1 is active or not. This Desktop need to use only the WAN2. But I do not have a "routing section" like I have in my current firewall today. As I understand I need to use a another "Firewall->Rules-Lan" only to define this specific route to this Desktop. So I created a rule with a different gateway ( WAN2, not more the WAN group ) and the field "Source - single host or Network" with the IP of this specific Desktop. I put this rule BEFORE the "generic rule" I described before. Works...but I have a problem now. I need to duplicate for each "generic rule" defined the same options for this special DESKTOP rule. So I will have a generic rule allowing the use of port 80/443 to FAILOVER-WAN and a specific rule also allowing the use of port 80/443 for this DESKTOP IP and using WAN2. If tomorrow I need to create a new generic rule allowing the FTP PORT then I also need duplicate the work creating a new rule for this special DESKTOP.
Do I have another way to solve this problem using OpnSense ?
Is it possible define a set of rules linked to a MULTI-WAN e use the same rules eventually assigned to other gateway-WAN without duplicating the service. I have now hundreds of rules as basic/generic set of Firewall rules and 3 or 4 special DESKTOPS which needs to use a different explicit WAN and now I can not see a solution using Opnsense
Let me explain in details my problem. Maybe I am choosing the wrong way to build my Firewall rules.
In fact I an trying to migrate all my Firewall rules from my current Firewall ( Endian Firewall ) to OpnSense. And some concepts seems to be hard to migrate.
In my current Firewall I have a section in which all the allow rules are defined ( Firewall -> Outgoing traffic ). I define, for instance, the ports my LAN NET can used to make connections. No implicit route. Only a set of filter rules. The default is using my main WAN as the output link to Internet.
And I have another section ( Network -> Routing -> Policy Routing ) which I can define a rule for some cases where I need to explicit define another route to be used by some Desktops, usually I defined to use another WAN ( the secondary one or some special WAN ) different than the default. In other words, routing and firewall rules are different things and when I used a route to an another WAN all the firewall rules still active and functional.
In OpnSense I am now building the system this way:
1- I have two different WANs, so I configured a MULTI-WAN named "FAILOVER-WAN" and set my WAN1 as tier1 and my WAN2 as tier2
2-My "Firewall->Rules-Lan" have the rule "Default allow LAN to any rule" disabled. Therefore I must explicitly define the resources that are allowed to be used. For instance, I define a rule to allow the use o port 80 and 443. And the gateway of this rule is "FAILOVER-WAN". No matter which WAN is really active ( WAN1 or WAN2 ) the rule is valid. And in this case if my user try to use a FTP PORT 21 it will not be allowed.
3-But now I have a Desktop from my LAN NET that for some reason needs to use only the WAN2 link. Not the default first option of my "FAILOVER-WAN". No matter if the WAN1 is active or not. This Desktop need to use only the WAN2. But I do not have a "routing section" like I have in my current firewall today. As I understand I need to use a another "Firewall->Rules-Lan" only to define this specific route to this Desktop. So I created a rule with a different gateway ( WAN2, not more the WAN group ) and the field "Source - single host or Network" with the IP of this specific Desktop. I put this rule BEFORE the "generic rule" I described before. Works...but I have a problem now. I need to duplicate for each "generic rule" defined the same options for this special DESKTOP rule. So I will have a generic rule allowing the use of port 80/443 to FAILOVER-WAN and a specific rule also allowing the use of port 80/443 for this DESKTOP IP and using WAN2. If tomorrow I need to create a new generic rule allowing the FTP PORT then I also need duplicate the work creating a new rule for this special DESKTOP.
Do I have another way to solve this problem using OpnSense ?
Is it possible define a set of rules linked to a MULTI-WAN e use the same rules eventually assigned to other gateway-WAN without duplicating the service. I have now hundreds of rules as basic/generic set of Firewall rules and 3 or 4 special DESKTOPS which needs to use a different explicit WAN and now I can not see a solution using Opnsense
