Messages

zackboll, I'm responding to your original post. I have not read most of the rest of the thread as dual WAN is not in my network at this time.

I also recently changed over from pfSense. As this is a hobby for me, I am going from one to the other as I experiment. They are both excellent software routers.

The biggest problem I had with OPNsense initially was that everything is in a different place from pfSense. This is to be expected and normal. But it's a good chance something on your initial setup was missed. Take another look unless you have already done this and are sure they are comparable.

Thanks my dual wan policy-based gateway routing is now working after following the suggestion of creating a LAN firewall rule that forwards all traffic to my gateway group that matches the invert (private addresses).

The only thing that I am not really happy about now has to do with my primary ISP being IPv4 only, so I had to downgrade to using only IPv4 on my local network.

In ideal world, what I would like to accomplish is the following with the current limitations of my tier1 ISP:
1.) IPv4 and IPv6 on local network
2.) IPv4 traffic is routed out tier1 WAN
3.) IPv6 traffic is routed out tier1 WAN via IPv4 to cloud server, where it can then be routed as IPv6 (can kind of accomplish this per client with tailscale)
4.) IPv4 and IPv6 traffic routed out tier2 WAN when tier1 WAN fails.

My current work-around for when I need IPv6 connectivity is to tunnel through a VPS that has IPv4 and IPv6 using tailscale.

It would be nice to have IPv6 available all the time for all clients on the network, but I am not sure how to accomplish this with Tier1 WAN being IPv4 only and Tier2 WAN being IPv4/IPv6.

Thanks for the help, I have my 3 WAN setup with policy-based routing up and running.  I wasn't sure how to handle my tier 1 GW not having an IPv6 address, so I disabled IPv6 on my tier 2 and tier 3 GW.

Zack

Thanks,

I just ran into another potential issue with my new fiber connection.  I just plugged it in tonight and unfortunately it only provides an IPv4 address.  My Tier 2 ISP provides both an IPv4 and IPv6 address.

I noticed that in GW groups, you cannot mix and match IPv4 WANs with IPv6 WANs which makes sense to me.  Since my Tier 1 ISP does not provide an IPv6 address, do I need to disable IPv6 from my Tier 2 ISP?  My concern is that all my IPv6 traffic will go through my Tier 2 ISP, leaving my Tier 1 ISP (with symmetric Up/Down bandwidth) under utilized.  Is there an alternative to disabling IPv6 on my router (maybe use an IPv6 to IPv4 translator)?  If the best solution is just to disable IPv6, I am fine with that.  I am currently not a Starlink customer and I don't believe that any of my IPv4 WAN addresses are using CGNAT.

Thanks,
Zack

"Best practice, when using policy-routing rules for common upstream traffic is to create a network alias and add all private network ranges to it. Then use this alias in the policy-routing rule as destination with "invert" checked. So this rule is applied to non-private destinations only and has no impact on local traffic."

Thank you for the feedback, I am going to do some reading tonight and will hopefully accomplish this.

After reviewing the OPNSense documentation more closely, I am pretty sure what I had missing was a firewall rule to allow DNS traffic to my OPNSense router (192.168.9.1).  I am guessing I will need to add additional rules for WebGUI and SSH access as well?

https://docs.opnsense.org/manual/how-tos/multiwan.html#step-5-add-allow-rule-for-dns-traffic

Thanks,
Zack

I have been using OPNsense for about a week now, new user that recently switched over from pfsense.

In my previous pfsense setup, I used a dual WAN setup, with all of my traffic going through my primary WAN, with WAN2 as a failover.

I will list my problem at the end, below is my router configuration:

My primary WAN has an IPv4 and IPv6 address.  My secondary WAN2 has just an IPv4 address.  Under System->Gateways->Groups, I created a new IPv4_Failover group with WAN1 as tier1 and WAN2 as tier2.  I have tried adjusting the trigger level and pool options, initially, I trigger was based on packet loss and latency and pool was round robin.  Each of the 3 gateways uses an external DNS server as the IP address to monitor, listed in the next setting.

In System->Settings->General, I have 3 unique DNS servers specified, 1 IPv6 server, 2 IPv4 servers, all google DNS servers for now.  Each server is tied to a WAN gateway.  I have unchecked allow DNS server to be overridden by WAN, and checked Allow default gateway switching.

In Firewall->Rules->LAN, I modified the default rule for IPv4 to go to my IPv4_Failover Gateway group defined earlier (as opposed to default gateway).  For IPv6 traffic, I left it unmodified since I only have a single IPv6 WAN address.

I have been having trouble replicating my previous setup in OPNsense using policy based routing.  The setup appears to kind of work on some systems connected to the LAN, on other systems, I have no WAN access.  On one such problem system, I could not ping the main OPNsense router (192.168.9.1) from my workstation on the LAN (192.168.9.20). As soon as I modified the IPv4 LAN firewall rule to point at the default gateway, instead of my IPv4_Failover GW group, the 192.168.9.1 and internet became available on that machine.

For now, I lowered the priority of my primary WAN GW so that traffic would prefer it, and do not route any LAN traffic to the IPv4_Failover GW group.  If possible, I would like to figure out why my policy based routing is not working as my setup is getting a little more complicated with a 3rd ISP being installed this week.  My final goal will be to load balance some LAN traffic between WAN1 and WAN2, with WAN3 being used as a failover for WAN1 and WAN2.  With policy-based gateway routing, this seemed like it would be easy to accomplish with OPNsense.  I am hoping that I am just missing something simple from my configuration.

Thanks,
Zack

The wizard did not appear to automatically setup the DNS server, but following the configuration guide, things worked once I setup unbound dns to forward queries to dnsmasq.

Thanks,
Zack

Thanks,

After reading through the documentation linked, I think I understand why my configuration is not working.  I will try updating my configuration tonight.

It was a little chaotic during my unplanned network upgrade, so I didn't actually use an opnsense wizard to setup my machine.  I will take a look at this tonight and perhaps try using the wizard for automatic setup.

Zack

Hi,

I am a new opnsense user as of this weekend.  I have planned to switch over to opnsense for a couple years now after the bad taste from netgate in recent years, my pfsense system not booting after upgrading from 2.7.0 to 2.7.2 gave me the motivation needed.

My home network requirements are fairly simple, no VLAN, wiregaurd server on router, dual WAN.

For now, I am using a single WAN, wiregaurd server is running, and I was able to install a tailscale node on the router as well.  I haven't added my backup ISP yet, but for the most part I am up and running.

What has been bothering me is that I have been unable to get local DNS resolution working.  I believe the menus may have changed a little bit in 25.7 as they don't match exactly the tutorials I have seen online.  It is my understanding that by default, opnsense should be using a combination of Dnsmasq and Unbound DNS.  This is something I have never given a second thought to while using pfsense since local DNS has always just worked for me.

For example, I currently have a host configured with a static dhcp mapping of 192.168.9.10.  I can login to that host using the IP address, however I am unable to login using the hostname "ryzen9".

In Services-> Unbound DNS -> General, I have Register ISC DHCP4 leases and Register DHCP Static Mappings checked.  It is enabled and listening port is 53.

If I do an nslookup on hostname "opnsense", I get back the expected result:
zboll@debiani3:~$ nslookup opnsense
Server:      192.168.9.1
Address:   192.168.9.1#53

Name:   opnsense.internal
Address: 192.168.9.1
Name:   opnsense.internal
Address: redacted

However, when I do an nslookup on the host mentioned above with address 192.168.9.10, I get back the following
zboll@debiani3:~$ nslookup ryzen9
Server:      192.168.9.1
Address:   192.168.9.1#53

** server can't find ryzen9: NXDOMAIN

zboll@debiani3:~$ nslookup ryzen9.internal
Server:      192.168.9.1
Address:   192.168.9.1#53

** server can't find ryzen9.internal: NXDOMAIN

Any idea what I might be doing wrong, or where I can start to further debug this issue?  I would rather not have to resort to updating /etc/hosts on all my machines (with static DHCP mappings). 

Thanks,
Zack