"
Hi,
I've been struggling with a persistent policy routing issue on OPNsense 26.1 using WireGuard and I'm hoping someone has found a reliable solution.
Setup:
OPNsense 26.1 on a mini PC
WireGuard ProtonVPN France (wg0) with gateway GW_fr
Two LAN firewall rules routing specific aliases (domains + IPs) through GW_fr
NAT outbound configured for wg0
Gateway monitoring enabled with 8.8.8.8 as monitor IP
Gateway shows Online consistently
Problem:
Traffic randomly stops going through WireGuard and falls back to WAN, without any changes made. The WireGuard tunnel stays connected (wg show shows recent handshake), the gateway stays Online, but the traffic exits through WAN instead of wg0.
Running configctl filter reload && configctl filter sync fixes it temporarily, but it comes back after some time.
Important detail:
This happens without any IP changes or configuration changes. The tunnel is up, the gateway is online, but the routing just stops working randomly. This suggests it's purely a state table issue — existing states are somehow using the wrong gateway.
What I've tried:
Enabled "Kill states when down" on gateway
Added cron script every 5 minutes to detect and reload rules
Cleared state table manually (fixes it temporarily)
Questions:
Is there a way to force OPNsense to always re-evaluate the gateway for new connections even when a state exists?
Is there a known fix for this in 26.1?
Would OpenVPN be more stable than WireGuard for policy routing?
Any help appreciated. Thanks!
I've been struggling with a persistent policy routing issue on OPNsense 26.1 using WireGuard and I'm hoping someone has found a reliable solution.
Setup:
OPNsense 26.1 on a mini PC
WireGuard ProtonVPN France (wg0) with gateway GW_fr
Two LAN firewall rules routing specific aliases (domains + IPs) through GW_fr
NAT outbound configured for wg0
Gateway monitoring enabled with 8.8.8.8 as monitor IP
Gateway shows Online consistently
Problem:
Traffic randomly stops going through WireGuard and falls back to WAN, without any changes made. The WireGuard tunnel stays connected (wg show shows recent handshake), the gateway stays Online, but the traffic exits through WAN instead of wg0.
Running configctl filter reload && configctl filter sync fixes it temporarily, but it comes back after some time.
Important detail:
This happens without any IP changes or configuration changes. The tunnel is up, the gateway is online, but the routing just stops working randomly. This suggests it's purely a state table issue — existing states are somehow using the wrong gateway.
What I've tried:
Enabled "Kill states when down" on gateway
Added cron script every 5 minutes to detect and reload rules
Cleared state table manually (fixes it temporarily)
Questions:
Is there a way to force OPNsense to always re-evaluate the gateway for new connections even when a state exists?
Is there a known fix for this in 26.1?
Would OpenVPN be more stable than WireGuard for policy routing?
Any help appreciated. Thanks!
