"
Thank you very much viragomann, that did the trick. All working fine now!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
25.7, 25.10 Series / Re: Multi-WAN: Floating rules defining the upstream gateway?
October 29, 2025, 11:55:04 AM #2
25.7, 25.10 Series / Multi-WAN: Floating rules defining the upstream gateway?
October 28, 2025, 08:21:17 PM
Hello everyone,
I switched from IPFire to OPNSense some months ago and I am happy with the system.
One major reason for the switch was the ability of OPNSense to handle multi-WAN-upstreams, which I need for my setup.
Setup-summary:
Internal side:
- 5 Interfaces: WAN1, WAN2, LAN, WLAN and DMZ
- several Clients in LAN + WLAN, several Servers with self-hosted applications and services in DMZ
External side:
- AVM Fritzbox Router (connected to WAN1)
- Feste-IP FIP-Box (connected to WAN2 on the one side and connected to the Fritzbox on the other side)
- Wireguard VPN Tunnel
The FIP-Box serves a static public IPv4 by establishing a Wireguard-tunnel with the feste-IP-Provider so that I am able to host and access services even when being behind a DS-Lite ADSL connection without a fixed public IPv4.
The idea is the following:
1. Traffic from the DMZ interface and the Wireguard Interface should be routed through the WAN2-Gateway (=Static IPv4 by FIP-Box)
2. Traffic from all other sources should be routed directly through the router, so that performance is not affected by the tunnel the FIP-Box is using
To achieve this, I have set up:
1. Second WAN Interface + assignment to dedicated network card. Gateway has been configured accordingly in Interfaces > wan2_FIP > IPv4 gateway rules
2. Floating rule (I am only using floating rules by now): Quick, Interfaces DMZ + Wireguard, Direction = out, Source = Alias "FIP_CLIENTS" (contains the network addresses for DMZ + Wireguard), Gateway = FIP_GW. Rule is at the top of the rule table to be hit first
3. Outbound NAT rules: Source Wireguard + DMZ Network, Interface address translation
I can confirm that a trace route to 8.8.8.8 lists the router as first hop if the source address is the WAN1-Address and the FIP-Box as first hop if the source address is the WAN2-Address - this seems to work technically fine.
Unfortunately, my clients in the DMZ still show the external IP of the Fritzbox router when checked and not the fixed Tunnel IPv4 as expected.
This leads me to the suspicion that the traffic of DMZ/Wireguard is not redirected through the FIP-Box.
Am I missing something?
I tried configuring the rule in various ways, but no luck.
Thank you very much in advance for your time and help!
I switched from IPFire to OPNSense some months ago and I am happy with the system.
One major reason for the switch was the ability of OPNSense to handle multi-WAN-upstreams, which I need for my setup.
Setup-summary:
Internal side:
- 5 Interfaces: WAN1, WAN2, LAN, WLAN and DMZ
- several Clients in LAN + WLAN, several Servers with self-hosted applications and services in DMZ
External side:
- AVM Fritzbox Router (connected to WAN1)
- Feste-IP FIP-Box (connected to WAN2 on the one side and connected to the Fritzbox on the other side)
- Wireguard VPN Tunnel
The FIP-Box serves a static public IPv4 by establishing a Wireguard-tunnel with the feste-IP-Provider so that I am able to host and access services even when being behind a DS-Lite ADSL connection without a fixed public IPv4.
The idea is the following:
1. Traffic from the DMZ interface and the Wireguard Interface should be routed through the WAN2-Gateway (=Static IPv4 by FIP-Box)
2. Traffic from all other sources should be routed directly through the router, so that performance is not affected by the tunnel the FIP-Box is using
To achieve this, I have set up:
1. Second WAN Interface + assignment to dedicated network card. Gateway has been configured accordingly in Interfaces > wan2_FIP > IPv4 gateway rules
2. Floating rule (I am only using floating rules by now): Quick, Interfaces DMZ + Wireguard, Direction = out, Source = Alias "FIP_CLIENTS" (contains the network addresses for DMZ + Wireguard), Gateway = FIP_GW. Rule is at the top of the rule table to be hit first
3. Outbound NAT rules: Source Wireguard + DMZ Network, Interface address translation
I can confirm that a trace route to 8.8.8.8 lists the router as first hop if the source address is the WAN1-Address and the FIP-Box as first hop if the source address is the WAN2-Address - this seems to work technically fine.
Unfortunately, my clients in the DMZ still show the external IP of the Fritzbox router when checked and not the fixed Tunnel IPv4 as expected.
This leads me to the suspicion that the traffic of DMZ/Wireguard is not redirected through the FIP-Box.
Am I missing something?
I tried configuring the rule in various ways, but no luck.
Thank you very much in advance for your time and help!
Pages1
