"
Hello. Did you find any solution?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Virtual private networks / Re: request GRE tunnel support tunnel key
February 06, 2026, 12:09:15 PM #2
General Discussion / Alternative route for OPNSense itself
July 01, 2025, 08:12:59 AM
Hello.
I am using the latest version of OPNSense (Community).
On OPNSense, in addition to the WAN interface, there are several local interfaces, among which are interfaces 10.100.100.10 and 10.100.101.10. There is a remote subnet 192.168.254.0/24, which is accessible through routers 10.100.100.1 and 10.100.101.1. Routers 10.100.100.1 and 10.100.101.1 are connected to 192.168.254.0/24 by different channels and routes.
I need the OPNSense itself, not the clients, to have a route to 192.168.254.0/24 via 10.100.100.1 or 10.100.101.1 depending on whether the 192.168.254.0/24 network is reachable via 10.100.100.1 or 10.100.101.1 routers. That is, the route between 10.100.100.1 and 192.168.254.0/24 can fail, and then the OPNSense itself will have a route to 192.168.254.0/24 via 10.100.101.1. And the opposite case, when the route from 10.100.10.1 to 192.168.254.0/24 drops, then on OPNSense itself a route to the network 192.168.254.0/24 was built through 10.100.100.1.
It would be ideal if OPNSense chose the most responsive route through one of the routers based on ping time.
The connection between OPNSense and routers 10.100.100.1 and 10.100.101.1 is always available, since these routers are local, and the network 192.168.254.0/24 is remote.
I'm a newbie, and I need some ideas on where to start and what to do. In the OPNSense settings, when creating a static route, I can't select a gateway group. This would simplify the task.
10.100.100.1 and 10.100.101.1 are OpenWRT.
It is desirable that all configuration be carried out through the web interface, since when configuring outside the web interface, there is a chance of forgetting what and how you once configured.
I am using the latest version of OPNSense (Community).
On OPNSense, in addition to the WAN interface, there are several local interfaces, among which are interfaces 10.100.100.10 and 10.100.101.10. There is a remote subnet 192.168.254.0/24, which is accessible through routers 10.100.100.1 and 10.100.101.1. Routers 10.100.100.1 and 10.100.101.1 are connected to 192.168.254.0/24 by different channels and routes.
I need the OPNSense itself, not the clients, to have a route to 192.168.254.0/24 via 10.100.100.1 or 10.100.101.1 depending on whether the 192.168.254.0/24 network is reachable via 10.100.100.1 or 10.100.101.1 routers. That is, the route between 10.100.100.1 and 192.168.254.0/24 can fail, and then the OPNSense itself will have a route to 192.168.254.0/24 via 10.100.101.1. And the opposite case, when the route from 10.100.10.1 to 192.168.254.0/24 drops, then on OPNSense itself a route to the network 192.168.254.0/24 was built through 10.100.100.1.
It would be ideal if OPNSense chose the most responsive route through one of the routers based on ping time.
The connection between OPNSense and routers 10.100.100.1 and 10.100.101.1 is always available, since these routers are local, and the network 192.168.254.0/24 is remote.
I'm a newbie, and I need some ideas on where to start and what to do. In the OPNSense settings, when creating a static route, I can't select a gateway group. This would simplify the task.
10.100.100.1 and 10.100.101.1 are OpenWRT.
It is desirable that all configuration be carried out through the web interface, since when configuring outside the web interface, there is a chance of forgetting what and how you once configured.
#3
General Discussion / Re: Floating rule doesn't apply to the OPNSense itself
October 14, 2024, 05:46:08 AMQuote from: dseven on October 12, 2024, 02:05:12 PMHello.
policy-based routing doesn't apply to traffic originating from the firewall itself
What is there a simple way to route some networks from the firewall itself with using hosts and networks aliases? To add manual routes for specific networks to the 'system->routes' and the rules of firewall is inconvienct, because the list of networks may change, and the tracking changes in two places is a point of failure. To change list networks in an aliase is more simple, it's one place with a readable name.
Or, maybe, you can suggest me another way. Thanks.
#4
General Discussion / Re: Floating rule doesn't apply to the OPNSense itself
October 12, 2024, 06:43:28 AM
I add some information.
My default route to 0.0.0.0/0 via WAN interface.
And I have a second gateway, and "those_networks" are behind the second gateway. I want my OPNSense itself to route "those_networks" via the second gateway.
Clients from "those_networks" access to WAN gateway through my OPNSense, but OPNSense doesn't know where "those_networks"'s clients are, and OPNSense sends packets for "those_networks"'s clients to the wrong inteface (theWAN interface), but OPNSense must send packets for "those_networks"'s clients to the second gateway.
OPNsense 24.7.6-amd64
My default route to 0.0.0.0/0 via WAN interface.
And I have a second gateway, and "those_networks" are behind the second gateway. I want my OPNSense itself to route "those_networks" via the second gateway.
Clients from "those_networks" access to WAN gateway through my OPNSense, but OPNSense doesn't know where "those_networks"'s clients are, and OPNSense sends packets for "those_networks"'s clients to the wrong inteface (theWAN interface), but OPNSense must send packets for "those_networks"'s clients to the second gateway.
OPNsense 24.7.6-amd64
#5
General Discussion / Floating rule doesn't apply to the OPNSense itself
October 12, 2024, 05:54:00 AM
Hello everyone. Sorry for my English. I'm a newbie in networks and English :)
I have a problem with OPNSense. I need to route some subnets to a gateway other than the default wan interface. First, I created an alias named "those networks". Then I created a floating rule, stating that any traffic from any interface and any source to a destination named "those_networks" should use another gateway. After that, I tested this rule. All my clients go to the "those_networks" via another gateway, and go to another destination via the default wan interface. However, when I try to traceroute from the OPNSense, the OPNSense itself goes to "those_networks" via the default WAN interface. In other words, the OPNsense doesn't know where to find "those_networks". In this case, I see that the automatically "let out anything from firewall host itself" rule applies.
Why doesn't my floating rule apply to the OPNSense itself?
I tried to write routes to "those_networks" in System->Routes->Configuration, and it works. But I can't use Aliases in the System Routes, and it's very inconvenient to write all networks in system routes and check for changes all the time.
How can I create rules so that the OPNSense itself knows where to find "those_networks", that "those_networks" are behind the gateway other than the default WAN gateway?
Can I create rules that apply before automatically created rules?
Can I create floating rules for the OPNSense itself?
And I want to be able to do this in the OPNSense webUI.
I have a problem with OPNSense. I need to route some subnets to a gateway other than the default wan interface. First, I created an alias named "those networks". Then I created a floating rule, stating that any traffic from any interface and any source to a destination named "those_networks" should use another gateway. After that, I tested this rule. All my clients go to the "those_networks" via another gateway, and go to another destination via the default wan interface. However, when I try to traceroute from the OPNSense, the OPNSense itself goes to "those_networks" via the default WAN interface. In other words, the OPNsense doesn't know where to find "those_networks". In this case, I see that the automatically "let out anything from firewall host itself" rule applies.
Why doesn't my floating rule apply to the OPNSense itself?
I tried to write routes to "those_networks" in System->Routes->Configuration, and it works. But I can't use Aliases in the System Routes, and it's very inconvenient to write all networks in system routes and check for changes all the time.
How can I create rules so that the OPNSense itself knows where to find "those_networks", that "those_networks" are behind the gateway other than the default WAN gateway?
Can I create rules that apply before automatically created rules?
Can I create floating rules for the OPNSense itself?
And I want to be able to do this in the OPNSense webUI.
#6
24.1, 24.4 Legacy Series / Re: Poor speed in virtual environment.
July 18, 2024, 10:11:50 PM
Were you able to look up a solution? I have the same problem.
Debian VM > Host is about 20 Gbps
Debian VM > another Debian VM is about 20 Gbps
OPNSense > Host is about 1.5 Gbps
OPNSense > Debian VM is about 1.5 Gbps.
Debian VM > Host is about 20 Gbps
Debian VM > another Debian VM is about 20 Gbps
OPNSense > Host is about 1.5 Gbps
OPNSense > Debian VM is about 1.5 Gbps.
#7
Zenarmor (Sensei) / Remote and local Hosts swap places with Wireguard
May 06, 2024, 03:02:09 PM
Hello.
I don't understand one thing.
I have LAN Interface (0/24), VLAN Interface (0/24), WAN Interface, and Wireguard Interface (0/24). I set to protect for LAN and Wireguard as LAN-zone and VPN-zone. I undestand that VLAN is included in LAN-zone. My Wireguards clients and LAN-clients use WAN interface as default route to Internet. I see in the Reports, in the TOP local hosts section, all LAN and Wireguard client ip-adresses, and in the Top of Remote Host section I see all internet adresses. And it is OK.
But when VLAN-clients use Wireguard tunnel as default route to Internet (by rule), in the Reports Local Hosts and Remote Hosts swap places. I see all Internet addresses in the Top Local Hosts section, and I see only a Wireguard Interface in Top Remote Hosts. I want to see these VLAN clients as local hosts and internet adresses as remote hosts. What did I do wrong?
When I set to protect only LAN, i don't see traffic with Wireguards clients in the reports. But I see the VLAN clients normally. in the Top local Hosts.
I don't understand one thing.
I have LAN Interface (0/24), VLAN Interface (0/24), WAN Interface, and Wireguard Interface (0/24). I set to protect for LAN and Wireguard as LAN-zone and VPN-zone. I undestand that VLAN is included in LAN-zone. My Wireguards clients and LAN-clients use WAN interface as default route to Internet. I see in the Reports, in the TOP local hosts section, all LAN and Wireguard client ip-adresses, and in the Top of Remote Host section I see all internet adresses. And it is OK.
But when VLAN-clients use Wireguard tunnel as default route to Internet (by rule), in the Reports Local Hosts and Remote Hosts swap places. I see all Internet addresses in the Top Local Hosts section, and I see only a Wireguard Interface in Top Remote Hosts. I want to see these VLAN clients as local hosts and internet adresses as remote hosts. What did I do wrong?
When I set to protect only LAN, i don't see traffic with Wireguards clients in the reports. But I see the VLAN clients normally. in the Top local Hosts.
Pages1
