Messages

It's the same for every interface, LAN is no different.

Yes, that is true but it is logically different when comparing to other products.

If I compare it some traditional firewalls where the directionalality isn't related to the interface but the network or the firewall.

In this case, WAN traffic coming from the outside is considered IN and traffic going to the internet is OUT.  In this way, it is the same as opnsense.

In the case of LAN traffic it is typical for traffic coming into the LAN network to be considered IN but opnsense is the opposite.

Basically, I just have to reorient my brain to think about it from the perspective of the interface but I have been working with firewalls for a long time so it is going to take some mental adjustment on my part.

No big deal, all good now.

This all works really well.  Thanks again for the help!

Now that you have 2 failover groups, Follow this link https://docs.opnsense.org/manual/how-tos/multiwan.html and choose the appropriate gateway group for each subnet firewall default allow rule and DNS.

The only thing extra thing I had to do was create an alias that contained all my LAN networks and add an inbound pass rule to that destination to bypass the gateway setting.

Oops.  I figured it out.  I am thinking about IN and OUT backwards because it is LAN interface.

On my LAN segment, if I create two rules, one which rejects all IN traffic and another with allows allows all OUT traffic, my outbound traffic is blocked.  If I allow the IN traffic, my outbound traffic works.  Almost like a stateless ACL would work.

I am pretty sure the firewall is stateful so I must be doing something wrong.  I have attached a screenshot if that helps at all.

Thanks!  I will try that out in the morning when I actually cut over to the opnsense device.

I have two wan connections.  Both are consumer connections using DHCP.

I would like to send all the traffic from one of my lan subnets out wan2 and the rest out of wan1.

If either wan link fails, I would like all traffic to be routed over the remaining connection regardless of source.

Setting up wan failover seems straightforward from reading but I am not sure I see an easy way to achieve the other goal.

Any advice would be appreciated.