Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - kfm

Pages1
#1
General Discussion / Forwarding/Policy Routing: Can you select next hop by interface ip address?
March 21, 2026, 06:26:27 AM
Hi,

I am trying to set up a single OpnSense instance to serve as a default gateway with multiple upstream VPNs, where the upstream VPN that gets used for forwarding client traffic is selected based on which ip address the client used for a gateway.

So, for example, assume my opnsense instance has address 10.0.0.10/24 and ip alias 10.0.0.20/24 on its LAN interface.  If a LAN client used 10.0.0.10 as its gateway, I would like to forward this traffic through VPN A.  But if a client used 10.0.0.20 as the gateway, then I want to forward that traffic through VPN B.

Is this possible?  I know how to do it with multiple interfaces in the opnsense, but I can't figure out how to accomplish this on a single interface/subnet.
#2
Virtual private networks / Re: Gateway priority and status not respected in routing table
February 28, 2026, 01:59:35 AM
I can confirm this issue.  Is there any progress or better workarounds?


ISSUE
--------------------------

In my situation, I define multiple non-upstream gateways with different priorities in Gateways -> Configuration:

GW100 192.168.1.100 upstream=no priority=100 monitor=10.0.0.100
GW101 192.168.1.101 upstream=no priority=101 monitor=10.0.0.101

...and then I add the same route for each gateway in Routes -> Configuration:

10.0.0.0/8 via 192.168.2.100
10.0.0.0/8 via 192.168.2.101

The expectation is that the system routing table will populate with a route for whichever gateway is up with the highest priority (in this case, it would be GW100).  Instead, opensense seems to randomly select which gateway will get the route in the system table, regardless even of whether the gateway is up or down. 

This issue seems to only apply to non-default gateways.  Default gateways seem to handle this correctly.




WORKAROUNDS
--------------------------

1. Like zubrick said, you can manually create more precise routes for the preferred gateway to force opnsense to put both routes in the system table.  However, if the preferred gateway goes down, opnsense doesn't update the routing table is not updated to remove the applicable route(s).  Rather, you have to manually disable the preferred gateway to remove the route, which is not optimal.

2. Can't use gateway groups in NAT rules because the traffic is not being NATted.

3. Can't use gateway groups in Routes -> Configuration, because opensense does not allow groups to be the target of route rules.

4. Can create a gateway group and then create firewall rules for all interfaces that force the gateway for traffic going to 10.0.0.0/8, but this would mean duplicating every firewall accept rule (one for local traffic, one for remote traffic).  I'm not sure if maybe there is a smarter way to do this with non-quick rules or marking?

5. Maybe some kind of monit scripting that can watch the gateway status and add/remove routes as needed?  I couldn't find much documentation on it.

None of these options are great.




PREFERRED RESOLUTION
--------------------------

The two easiest ways to solve this from a user's perspective would be

(1) allow gateway groups as targets for static route configuration or

(2) have an option to treat down gateways as disabled for purposes of system routing table generation.
Pages1