Messages

policy-based routing doesn't apply to traffic originating from the firewall itself

Hello.
What is there a simple way to route some networks from the firewall itself with using hosts and networks aliases? To add manual routes for specific networks to the 'system->routes' and the rules of firewall is inconvienct, because the list of networks may change, and the tracking changes in two places is a point of failure. To change list networks in an aliase is more simple, it's one place with a readable name.
Or, maybe, you can suggest me another way. Thanks.

I add some information.
My default route to 0.0.0.0/0 via WAN interface.
And I have a second gateway, and "those_networks" are behind the second gateway. I want my OPNSense itself to route "those_networks" via the second gateway.
Clients from "those_networks" access to WAN gateway through my OPNSense, but OPNSense doesn't know where "those_networks"'s clients are, and OPNSense sends packets for "those_networks"'s clients to the wrong inteface (theWAN interface), but OPNSense must send packets for "those_networks"'s clients to the second gateway.

OPNsense 24.7.6-amd64

Hello everyone. Sorry for my English. I'm a newbie in networks and English :)

I have a problem with OPNSense. I need to route some subnets to a gateway other than the default wan interface. First, I created an alias named "those networks". Then I created a floating rule, stating that any traffic from any interface and any source to a destination named "those_networks" should use another gateway. After that, I tested this rule. All my clients go to the "those_networks" via another gateway, and go to another destination via the default wan interface. However, when I try to traceroute from the OPNSense, the OPNSense itself goes to "those_networks" via the default WAN interface. In other words, the OPNsense doesn't know where  to find "those_networks". In this case, I see that the automatically "let out anything from firewall host itself" rule applies.

Why doesn't my floating rule apply to the OPNSense itself?

I tried to write routes to "those_networks" in System->Routes->Configuration, and it works. But I can't use Aliases in the System Routes, and it's very inconvenient to write all networks in system routes and check for changes all the time.

How can I create rules so that the OPNSense itself knows where to find "those_networks", that "those_networks" are behind the gateway other than the default WAN gateway?
Can I create rules that apply before automatically created rules?
Can I create floating rules for the OPNSense itself?
And I want to be able to do this in the OPNSense webUI.

Were you able to look up a solution? I have the same problem.
Debian VM > Host is about 20 Gbps
Debian VM > another Debian VM is about 20 Gbps
OPNSense > Host is about 1.5 Gbps
OPNSense > Debian VM is about 1.5 Gbps.

Hello.
I don't understand one thing.
I have LAN Interface (0/24), VLAN Interface (0/24), WAN Interface, and Wireguard Interface (0/24). I set to protect for LAN and Wireguard as LAN-zone and VPN-zone. I undestand that VLAN is included in LAN-zone. My Wireguards clients and LAN-clients use WAN interface as default route to Internet. I see in the Reports, in the TOP local hosts section, all LAN and Wireguard client ip-adresses, and in the Top of Remote Host section I see all internet adresses. And it is OK.
But when VLAN-clients use Wireguard tunnel as default route to Internet (by rule), in the Reports Local Hosts and Remote Hosts swap places. I see all Internet addresses in the Top Local Hosts section, and I see only a Wireguard Interface in Top Remote Hosts. I want to see these VLAN clients as local hosts and internet adresses as remote hosts. What did I do wrong?
When I set to protect only LAN, i don't see traffic with Wireguards clients in the reports. But I see the VLAN clients normally. in the Top local Hosts.