Messages

[IpRange_Alias]

Workaround: Add an outbound NAT rule to the WAN(!) interface:
- Destination address: The alias you created.
- Translation target: wg0 address

I can confirm that the workaround works. Thank you, @Maurice

I have actually had the rules created already but could not get it to work because I made a mistake in the outbound NAT rule -> it was on wg0 interface and not on WAN. Thank you once again for pointing it out. 

So, solution to divert traffic from the firewall itself that works is:

• Alias that points to the desired IPs (IpRange_Alias)
• Wg0 interface on Wireguard with WG0_Gateway defined
• Floating rule: Direction=OUT, Source=This Firewall, Destination= IpRange_Alias, Gateway=WG0_Gateway
• Outbound NAT rule: Interface=WAN, Source=This Firewall, Destination=IpRange_Alias, Translation target= Wg0_Address

[OpnSense itself]

Hi all,

I have a use case to route connections from OpnSense itself via a specific VPN gateway if the destination is a specific ASN (Cloudflare).

For example, if I wanted to make sure that a command executed inside SSH such as

Code Select Expand

wget https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.7/latest/packagesite.pkg
would be routed through wg0.

This is easy enough to accomplish for packets originating on LAN and other interfaces, but packets originating on OPNSense itself seem to go directly to WAN as OUT.

IN floating rule does not match traffic and OUT rule matches traffic, but if I set a different gateway on an OUT rule, connectivity to destination IPs is lost (which makes sense).

Workaround by creating static routes works, but static routes cannot be linked to an alias, which makes creating a route for every CloudFlare IP range impractical without a script, and this feels too much like a hack. 

Any suggestions or anything I am missing here? 

Closest match I could find to a similar question is here https://forum.opnsense.org/index.php?topic=41506.0, but seems without a successful resolution.