"
Hey,
I am fairly new to networking and also to OPNsense, and I'm currently tasked with creating a Stack and a DMZ. The goal is that the DMZ can only send specific traffic on desired ports (like 53 for DNS, LDAP, etc.), and there will also be a reverse proxy for controlled internet access.
The design of the DMZ and the Stack is not my current concern
But first the Network setup
City A is my internal network (on-site, where I work) with the subnet 10.140.0.0/22.
This connects through a WireGuard tunnel using the 10.53.0.0/24 subnet to a second network in City B, which uses the subnet 10.5.0.0/23.
So basically: City A → City B
City B to City A
The subnet 10.5.0.0/23 in City B runs on a Proxmox server.
The address 10.5.0.1 is assigned to my OPNsense firewall (FW-A), which controls traffic within the Proxmox cluster. This firewall uses a virtual interface bridged to Proxmox's physical interface (eno1). That interface handles both the internal network (10.5.0.0) and WAN connectivity.
On FW-A, I've created a new interface called MStack, with the IP address 10.100.4.254.
I then added a gateway for that interface: 10.100.4.1.
On the other firewall (FW-B), there's a LAN interface with IP 10.100.4.1, and the gateway to reach the 10.5.0.0/23 subnet is set to 10.100.4.254.
FW-B also uses the vmbr0 bridge but is VLAN-tagged with 104 — the same VLAN tag as the MStack interface.
The Problem:
I was told that in this kind of setup, a static route is not needed, because both firewalls are on the same Proxmox cluster. However, I'm running into issues:
I'm not sure if this is a bug in the newer version of OPNsense, or if I'm simply misunderstanding routing concepts — especially around how interfaces and gateways interact within a virtualized environment like Proxmox.
OPNSense version FW-A
OPNSense version FW-B
Any advice on how to properly route this traffic and avoid asymmetric routing issues would be really appreciated. Also, is manually disabling TCP flag checks a bad idea long-term?
Thanks in advance!
Boris
I am fairly new to networking and also to OPNsense, and I'm currently tasked with creating a Stack and a DMZ. The goal is that the DMZ can only send specific traffic on desired ports (like 53 for DNS, LDAP, etc.), and there will also be a reverse proxy for controlled internet access.
The design of the DMZ and the Stack is not my current concern
But first the Network setup
City A is my internal network (on-site, where I work) with the subnet 10.140.0.0/22.
This connects through a WireGuard tunnel using the 10.53.0.0/24 subnet to a second network in City B, which uses the subnet 10.5.0.0/23.
So basically: City A → City B
Code Select
traceroute to 10.5.0.10 (10.5.0.10), 64 hops max
1 10.140.2.1 0,702ms 0,570ms 0,587ms
2 10.53.0.1 23,777ms 29,882ms 24,067ms
3 10.5.0.10 23,750ms 23,649ms 23,583ms
City B to City A
Code Select
traceroute 10.140.2.166
traceroute to 10.140.2.166 (10.140.2.166), 30 hops max, 60 byte packets
1 10.5.0.1 (10.5.0.1) 0.208 ms 0.193 ms 0.187 ms
2 10.53.0.2 (10.53.0.2) 25.226 ms 25.218 ms 25.206 ms
3 10.140.2.166 (10.140.2.166) 25.195 ms 25.182 ms 25.171 ms
The subnet 10.5.0.0/23 in City B runs on a Proxmox server.
The address 10.5.0.1 is assigned to my OPNsense firewall (FW-A), which controls traffic within the Proxmox cluster. This firewall uses a virtual interface bridged to Proxmox's physical interface (eno1). That interface handles both the internal network (10.5.0.0) and WAN connectivity.
On FW-A, I've created a new interface called MStack, with the IP address 10.100.4.254.
I then added a gateway for that interface: 10.100.4.1.
On the other firewall (FW-B), there's a LAN interface with IP 10.100.4.1, and the gateway to reach the 10.5.0.0/23 subnet is set to 10.100.4.254.
FW-B also uses the vmbr0 bridge but is VLAN-tagged with 104 — the same VLAN tag as the MStack interface.
The Problem:
I was told that in this kind of setup, a static route is not needed, because both firewalls are on the same Proxmox cluster. However, I'm running into issues:
- If I add a static route on FW-B, I can't reach it at all — no ping, no traceroute, no SSH.
- If I add a static route on FW-A, the connection also breaks. The only way to restore it is:
- Remove the static route
- Add the gateway directly to the MStack interface
- At that point, I can reach the network — but only via UDP and ICMP.
I'm not sure if this is a bug in the newer version of OPNsense, or if I'm simply misunderstanding routing concepts — especially around how interfaces and gateways interact within a virtualized environment like Proxmox.
OPNSense version FW-A
Code Select
OPNsense 25.1.12-amd64
FreeBSD 14.2-RELEASE-p4
OPNSense version FW-B
Code Select
OPNsense 25.7-amd64
FreeBSD 14.3-RELEASE-p1
Any advice on how to properly route this traffic and avoid asymmetric routing issues would be really appreciated. Also, is manually disabling TCP flag checks a bad idea long-term?
Thanks in advance!
Boris
