Messages

banym: thanks for the reply. I tested your advice and tried adding a rule to allow all on the Opt1 interface. I found that it made no difference, I still needed both cables to get a reply from the Opt1 address.

Using the packet capture function, I was able to determine that the query was coming in on the Opt1 interface, and the reply was going out on the LAN interface. It seems very strange that OPNSense is not sending the reply on the same interface as the query.

I suspect that the reply is going to the LAN interface because that is the default route for that subnet and both interfaces have the same subnet assigned. I have no manual routes assigned.

Is there a way to have two interfaces assigned to the same subnet without bridging them? Bridging does not seem to be the right answer because I want the LAN gateway address, and the DHCP, NTP and DNS services, to be inaccessible when the cable is unplugged.

What other information would be helpful for troubleshooting?

[both]

I would like to configure my Opnsense computer while it is connected to the LAN, but not functioning as a router. I planned to do this by disconnecting the cables on the WAN and LAN interfaces, then accessing the WebGUI over a cable connected from the switch to the OPT1 interface. I assigned the LAN interface to 192.168.0.1 and OPT1 to 192.168.0.10.

After I configured the firewall rules to allow access to the WebGUI on OPT1/ 192.168.0.10, I connected the cable to OPT1 and I could open the WebGUI. Then a strange thing happened when I removed the LAN cable, I could no longer access anything on the OPT1 address. With the LAN cable in place and the OPT1 cable removed I cannot reach the OPT1 address, so the only way I can use OPT1 is with both cables in place.

Any ideas what is wrong and how to fix it?

Here is another post with exactly the problem I would like to solve, adding a second gateway to the LAN interface:
https://forum.opnsense.org/index.php?topic=12294.msg56833#msg56833

The suggested solution was to add a virtual IP address, then add firewall rules to "create policy based routing." I tried to do that but it did not work for me. Could someone please post the rules that would be required? I have a working VPN tunnel to Private Internet Access called PIAVPN.

Here is a post that describes using subnetting rather than gateway address to decide what traffic goes through the VPN:
https://forum.opnsense.org/index.php?topic=1951.0

It still requires manually setting the client IP address to make the switch.

This post is pretty much the same question I have:
https://forum.opnsense.org/index.php?topic=12294.0

The answer to the post did not help me though. If I add an Alias IP address to the LAN interface, I don't see how to detect that address in the rules. It would not be the source or destination address.

Here is a posting that is close to what I am trying to do:
https://www.neverslair-blog.net/2015/08/01/pfsense-how-to-bypass-a-vpn-connection-for-a-single-ip/


The difference is that rather than setting firewall rules on the router for every computer bypassing the VPN, I would like to have the client choose by manually setting the gateway address.

What I would like to do is have the computers on the LAN network choose whether they are going to access the internet directly or via a VPN by choosing a different gateway address. So if your gateway is 192.168.0.1 you go to the internet via the ISP, or if the gateway is 192.168.0.2 you go to the internet via the VPN.

I have OPNsense 20.1 running on my router. The present configuration has a gateway on the LAN interface address that passes traffic to a commercial VPN using OpenVPN. How can I add a second gateway address that sends traffic directly to the WAN interface?