Messages

You have to change the port forwarding to the new server IP.

Got it.
I'll add this to my list and check the progress.
Will probably be over the weekend though.

Is the servers network configured via DHCP?

Yes.

Thank you for your reply!!

Problem:
I run a personal web server behind OPNsense that is accessible via DDNS.
The server is locked down very well and I've never had a breach.... yet.
Since the server is also on my internal LAN, a breach would be very bad.
I know it's a security risk to the rest of my network and would like to add another layer of protection.

Possible solution:
OPNsense machine has 4 ports and 2 ports are unused.
My idea was to configure one of the unused ports for a second network (LAN2), with a different private IP range, that can access the internet but can't access LAN1.
I also don't want LAN2 to be able to access the management interface of OPNsense.
Here's what I did that did not work...

WAN is DHCP.
LAN1 is 192.168.1.1
Added LAN2 interface using Interfaces / Assignments and assigned a static IP address (10.10.10.1).
  I copied the settings from LAN1, changing IP address info.
Added IP range to DHCP.
  I copied the settings from LAN1, changing IP address info.
Added "Default allow LAN2 to any" firewall rule.
  I copied LAN1's rule for this.
Changed WAN firewall rule pointing web ports from LAN1 IP address to LAN2 IP address.

The result was that I was able access the internet but incoming web traffic went nowhere.
Also, from both LAN1 and LAN2 I could ping 192.168.1.1 and 10.10.10.1.
I tried various rules and other changes and ultimately got it to where nothing was working on LAN2.
I restored from backup and started writing this post.

I'm just wondering if there is a high level document or checklist to do this.
I've searched "second network" and "segment network" and neither seemed fruitful.

Or, if I'm missing a glaring step, please let me know.

Final thoughts.

All of the Multi-WAN docs are about Failover and Load Balancing, but "Router-Controlled" should be added to the beginning of both of those.
Since I wanted to control where traffic went, I was constantly fighting the router.

I ended up configuring the router to have 2 WAN links, no auto anything, with traffic going where I wanted it.
I had to ignore all the parts of the "Multi-WAN" doc that had to do with Gateway Groups, Gateway DNS, and the Local DNS Rule.

I set up Firewall rules to direct traffic to specific WAN links, by using aliases.
A Teams alias, Zoom alias, Azure alias, gaming server aliases, etc.

I will say that rules for specific machines was spotty.
For instance, I set up an alias for a MAC addresses to always go down one WAN link.
I would get brief, but noticeable, instances where performance would suck.

I never got a response on MTU's.
I ended up setting everything (all WAN's and LAN) to 1430.
I did end up with a nasty performance problem but not sure MTU's were the culprit.

After all this, I'm going to cancel my DSL and just use the 5G connection.
I haven't had any issues using it for work.
Gaming is a bit more of a challenge but I'm not willing to pay $60+ per month just to game.

Thanks!

Another update.
Amazing what a good night's sleep can accomplish.

I realized that the 5G was providing a local IP address for the WAN address.
This was getting stopped by the "Block private networks from WAN" rule.
Changed to a public IP and traffic is flowing.

I still cannot ping the OPNsense router from internal clients.
I added a rule for ICMP in LAN but still nothing can ping the router (see attached).

Quick update.  Traffic is blocked if I set the default lan pass rule to the gateway group.  So something isn't working right.  I'll look for a different set of docs.
Any suggestions?

I use a 50Mbit DSL connection for work (static IP) and gaming (great ping).
I've added a 5G connection for use with streaming and downloads.

I followed the instructions for setting up Multi WAN with Load Balancing.
https://docs.opnsense.org/manual/how-tos/multiwan.html

First issue was packet fragmentation due to different MTU's.
DSL = 1500, 5G = 1430
Where should I change (and not change) the MTU's for everything to work seamless?
I'm guessing that everything should be set to 1430, including all the devices on my network.

After setting up Multi WAN, I could no longer ping the OPNsense router.
I could browse to it, login, and everything else... just couldn't ping it.
This is important as I have some automation set up to reboot various devices if they no longer respond to ping.
I watched the traffic logs and nothing showed for the entire LAN subnet.
All the devices I have internally aren't shown. 
It only shows the router internal IP's (for either interface) as the Source.
I'm sure this is just a simple setting but I've followed the doc multiple times and get the same results.

Beyond those, the next challenge is how to direct specific traffic.
My thought is to direct everything down the 5G path with exceptions.
Traffic to O365, Teams, Zoom, Azure, VPN, some Cloud services, and gaming servers should go down the DSL.
Can anyone point me to some docs, with examples, on how to do this?

Many thank in advance!