Topics

1

23.7 Legacy Series / Wireguard interface not coming up on reboot, error in logs

« on: November 13, 2023, 09:00:00 pm »

Good morning,

I just installed OPNsense again after a while on a test system, installed the os-wireguard plugin, configured and connected to the endpoint (Cloudflare warp in this case) just fine, but after a reboot the connection is always down.

Checked the System > Log Files > Audit logs and saw this entry:

Code: [Select]

/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/usr/bin/wg syncconf 'wg1' '/usr/local/etc/wireguard/wg1.conf'' returned exit code '1', the output was 'Name does not resolve: `engage.cloudflareclient.com:2408' Configuration parsing error'
Checked the mentioned '/usr/local/etc/wireguard/wg1.conf' file and its endpoint looks correct (as per wg.conf notation):

Code: [Select]

####################################################
# Interface settings, not used by `wg`             #
# Only used for reference and detection of changes #
# in the configuration                             #
####################################################
# Address =  172.16.0.2/32
# DNS =
# MTU =
# disableroutes = 1
# gateway = 172.16.0.1

[Interface]
PrivateKey = NopeNopeNope
ListenPort = 56351

[Peer]
# friendly_name = Cloudflare
PublicKey = ShouldBeFineToPasteButMaybeRatherNope
Endpoint = engage.cloudflareclient.com:2408
AllowedIPs = 0.0.0.0/0,::/0
When restarting the wireguard service for this connection it works as expected so I was wondering if the one has anything to do with the other / how to make sure the connection IS up after reboot?

2

23.7 Legacy Series / How to disable Firewall for one particular interface entirely?

« on: October 08, 2023, 11:26:20 pm »

... or why does the 'Default deny / state violation rule' strike if I have a custom rule(s) allowing everything in and out for a particular interface?

Basically my issue is that I want to pass traffic in/out on one particular interface entirely unfiltered. Hence I went ahead and added on 'IN' and one 'OUT' rule allowing everything quasi, see screenshot below.

However, for that interface I still keep seeing firewall log entries blocking traffic based on the 'Default deny / state violation' rule regularly.

Given that this particular interface is physically connected to a second router/firewall, I really, really do not want any filtering happening on the OPNsense box and was wondering HOW I can disable filtering (illegal state or not) completely and for good?


See screenshots at: https://imgur.com/a/PdBGxTG

3

23.7 Legacy Series / All things HTTPS fail on (almost) freshly installed firewall

« on: September 15, 2023, 07:57:19 pm »

Good morning,

I have some odd behavior going on and I have no clue where it's coming from, so maybe someone has an idea. I installed OPNsense yesterday on a system and after some basic interface assignments, updates etc.. it appears to be oddly broken insofar as every https request from the system itself fails stating something like this, i.e. when just trying to retrieve a file from a remote webserver via https:

"[...]
root@jBFirewall:~ # curl https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz
curl: (60) SSL: certificate subject name 'jbfirewall.home.local' does not match target host name 'pkg.opnsense.org'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[..]"

Mind you, that certificate subject name is my OPNsense's hostname and I assume my OPNsense's web gui / self signed cert.


Something similar happens when I try to check for updates:

'[...]
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.4 at Fri Sep 15 10:42:13 PDT 2023
Fetching changelog information, please wait... SSL certificate subject doesn't match host pkg.opnsense.org
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
pkg: http://mirrors.nycbug.org/pub/opnsense/FreeBSD:13:amd64/23.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
pkg: http://mirrors.nycbug.org/pub/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Authentication error
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
pkg: http://mirrors.nycbug.org/pub/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
[..]"


It appears my local, self-signed web gui interface is calling remote https retrievals to fail.. but.. why? I have no captive portal active, no proxy or anything (as far as I can tell), so why is there a mismatch of certs / how does the local one get tangled up there?


Does anyone have any idea where something / I went wrong?

Thanks!

4

22.1 Legacy Series / Policy based routing (over Wireguard VPN) routes back to OPNsense?

« on: March 19, 2022, 11:57:05 pm »

Good evening,

I have a very odd problem / behavior with OPNsense which I haven't seen before but maybe someone knows where this may come from:

I have a LAN rule (before the default one) to route certain destination networks over a (wireguard) VPN interface. Thing is, when I try to access a destination webserver in said destination network, I get a CA error and when I look at the cert, it's for OPNsense.localdomain.

Sooo why does a policy based firewall rule "redirect" browsers to the OPNsense box? I have no captive portal active and the DNS still resolves the real (destination webserver) IPs.. but how is it possible OPNsense re-routes to itself? What might be causing this?


Thanks for any hints/ideas,
-J

5

22.1 Legacy Series / Multi Wan, IPv6 & policy based routing problems / misunderstanding

« on: March 13, 2022, 01:34:06 am »

Good evening,

I have some problems with setting up two static wan interfaces in combination with policy based routing and maybe someone sees / reads what's wrong and could push me in the right direction.

I have two physical WAN connections coming in, each with one static IPv4 (/30) and one static IPv6 address (/126). In addition to that one static IPv6 address per link, I got a /48 block assigned.. again.. per link and the two are not overlapping. One's WAN1, one's WAN2. WAN1's IPv4 and IPv6 gateways have highest priority and are the default route(s).

To my LAN interface I have assigned a static 192.168.x.x/24 IPv4 address and a static fd6e:XXXX:YYYY:ZZZZ::1/64 IPv6 address.


I do not have any plans for multi wan in the sense of failover or load balancing (at least for now), I simply want to route certain target networks over WAN2. I've therefore added two Firewall > Settings > LAN rules, one for the IPv4 and one for IPv6 target networks I want to route to using WAN2 to utilize the corresponding WAN2 gateways.

Now this seems to work, albeit something is.. wrong. I can e.g. traceroute to the target IPv4 networks and can see the WAN2 IPv4 GW is used, but for IPv6... all trace hops time out. And there are some other effects.. which I assume are related to IPv6 not working.


I can reproduce the issue i.e. when I take all Google ASNs and get their IPv4 and IPv6 ip ranges, put them in an alias group and setup a firewall rule the same way.. to route to these target networks over WAN2.. and everything works, but slow (google.com takes initially long to load, but then appears in an instant.. same with youtube and videos etc.) - which I think (and I obviously might be very wrong here), that whenever IPv6 doesn't work for google services and / or browsers, they fall "back" to IPv4, which seems to work just fine..


So long story short.. my question basically is - what pieces of the puzzle might I be missing here to perform IPv6 policy based routing over a non-default WAN interface?


Thanks,
-J

6

21.7 Legacy Series / Sporadic & endless (re)boot loop - Anyone has an idea what might be going on?

« on: December 04, 2021, 07:12:26 pm »

Good afternoon,

my 21.7(.6 atm) OPNsense system has this re-occurring issue that for some reboots it 'falls' into an endless reboot cycle with panics shortly into the boot sequence.

The system itself is stable while up for weeks and weeks, but once I or an update performs a reboot, it sometimes (not always?) ends up in a neverending boot > crash > reboot > crash etc loop and all that seems to help is to turn the system physically off and back on again.

I have a hard time pinpointing what might be the cause here (and I know, without configs etc it might be difficult for others as well), but can maybe someone interpret the System > Firmware > Reporter logs and sees what might be going on?

dmesg.boot:

Code: [Select]

---<>---
Copyright (c) 2013-2019 The HardenedBSD Project.
Copyright (c) 1992-2019 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 12.1-RELEASE-p21-HBSD #0  1c99b63a2ba(stable/21.7)-dirty: Wed Nov 10 11:17:14 CET 2021
    root@sensey:/usr/obj/usr/src/amd64.amd64/sys/SMP amd64
FreeBSD clang version 8.0.1 (tags/RELEASE_801/final 366581) (based on LLVM 8.0.1)
VT(efifb): resolution 800x600
HardenedBSD: initialize and check features (__HardenedBSD_version 1200059 __FreeBSD_version 1201000).
CPU: Intel(R) Xeon(R) E-2246G CPU @ 3.60GHz (3600.21-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0x906ea  Family=0x6  Model=0x9e  Stepping=10
  Features=0xbfebfbff
  Features2=0x7ffafbff
  AMD Features=0x2c100800
  AMD Features2=0x121
  Structured Extended Features=0x29c6fbb
  Structured Extended Features3=0x9c002600
  XSAVE Features=0xf
  VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
  TSC: P-state invariant, performance statistics
real memory  = 68719476736 (65536 MB)
avail memory = 66566623232 (63482 MB)
Event timer "LAPIC" quality 600
ACPI APIC Table:
FreeBSD/SMP: Multiprocessor System Detected: 6 CPUs
FreeBSD/SMP: 1 package(s) x 6 core(s) x 2 hardware threads
FreeBSD/SMP Online: 1 package(s) x 6 core(s)
random: unblocking device.
ioapic0  irqs 0-119 on motherboard
Launching APs: 1 2 3 5 4
Timecounter "TSC-low" frequency 1800104924 Hz quality 1000
wlan: mac acl policy registered
random: entropy device external interface
kbd1 at kbdmux0
module_register_init: MOD_LOAD (vesa, 0xffffffff812947f0, 0) error 19
random: registering fast source Intel Secure Key RNG
random: fast provider: "Intel Secure Key RNG"
000.000056 [4344] netmap_init               netmap: loaded module
[ath_hal] loaded
nexus0
efirtc0:  on motherboard
efirtc0: registered as a time-of-day clock, resolution 1.000000s
cryptosoft0:  on motherboard
acpi0:  on motherboard
acpi0: Power Button (fixed)
cpu0:  on acpi0
hpet0:  iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 24000000 Hz quality 950
Event timer "HPET" frequency 24000000 Hz quality 550
Event timer "HPET1" frequency 24000000 Hz quality 440
Event timer "HPET2" frequency 24000000 Hz quality 440
attimer0:  port 0x40-0x43,0x50-0x53 irq 0 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1808-0x180b on acpi0
pcib0:  port 0xcf8-0xcff on acpi0
pci0:  on pcib0
pcib1:  irq 16 at device 1.0 on pci0
pci1:  on pcib1
pcib2:  mem 0x81500000-0x8151ffff irq 16 at device 0.0 on pci1
pci2:  on pcib2
pcib3:  irq 16 at device 0.0 on pci2
pci3:  on pcib3
pci3:  at device 0.0 (no driver attached)
pcib4:  irq 17 at device 1.0 on pci2
pci4:  on pcib4
pci4:  at device 0.0 (no driver attached)
pcib5:  irq 18 at device 2.0 on pci2
pci5:  on pcib5
pci5:  at device 0.0 (no driver attached)
pcib6:  irq 16 at device 1.1 on pci0
pci6:  on pcib6
ixl0:  mem 0x4010800000-0x4010ffffff,0x4011008000-0x401100ffff irq 17 at device 0.0 on pci6
ixl0: fw 8.4.66032 api 1.14 nvm 8.40 etid 8000aba4 oem 1.267.0
ixl0: The driver for the device detected a newer version of the NVM image than expected.
ixl0: Please install the most recent version of the network driver.
ixl0: PF-ID[0]: VFs 64, MSI-X 129, VF MSI-X 5, QPs 768, I2C
ixl0: Using 1024 TX descriptors and 1024 RX descriptors
ixl0: Using 6 RX queues 6 TX queues
ixl0: Using MSI-X interrupts with 7 vectors
ixl0: Ethernet address: 3c:fd:fe:9f:62:4c
ixl0: Allocating 8 queues for PF LAN VSI; 6 queues active
ixl0: PCI Express Bus: Speed 8.0GT/s Width x8
ixl0: SR-IOV ready
ixl0: netmap queues/slots: TX 6/1024, RX 6/1024
ixl1:  mem 0x4010000000-0x40107fffff,0x4011000000-0x4011007fff irq 17 at device 0.1 on pci6
ixl1: fw 8.4.66032 api 1.14 nvm 8.40 etid 8000aba4 oem 1.267.0
ixl1: The driver for the device detected a newer version of the NVM image than expected.
ixl1: Please install the most recent version of the network driver.
ixl1: PF-ID[1]: VFs 64, MSI-X 129, VF MSI-X 5, QPs 768, I2C
ixl1: Using 1024 TX descriptors and 1024 RX descriptors
ixl1: Using 6 RX queues 6 TX queues
ixl1: Using MSI-X interrupts with 7 vectors
ixl1: Ethernet address: 3c:fd:fe:9f:62:4d
ixl1: Allocating 8 queues for PF LAN VSI; 6 queues active
ixl1: PCI Express Bus: Speed 8.0GT/s Width x8
ixl1: SR-IOV ready
ixl1: netmap queues/slots: TX 6/1024, RX 6/1024
vgapci0:  port 0x4000-0x403f mem 0x4012000000-0x4012ffffff,0x4000000000-0x400fffffff irq 16 at device 2.0 on pci0
vgapci0: Boot video device
xhci0:  mem 0x4013000000-0x401300ffff irq 16 at device 20.0 on pci0
xhci0: 32 bytes context size, 64-bit DMA
usbus0 on xhci0
usbus0: 5.0Gbps Super Speed USB v3.0
pci0:  at device 20.2 (no driver attached)
sdhci_pci0:  mem 0x4013019000-0x4013019fff irq 19 at device 20.5 on pci0
sdhci_pci0: 1 slot(s) allocated
pci0:  at device 21.0 (no driver attached)
pci0:  at device 21.1 (no driver attached)
pci0:  at device 22.0 (no driver attached)
pci0:  at device 22.1 (no driver attached)
pci0:  at device 22.4 (no driver attached)
ahci0:  port 0x4090-0x4097,0x4080-0x4083,0x4060-0x407f mem 0x81900000-0x81901fff,0x81903000-0x819030ff,0x81902000-0x819027ff irq 16 at device 23.0 on pci0
ahci0: AHCI v1.31 with 8 6Gbps ports, Port Multiplier not supported
ahcich0:  at channel 0 on ahci0
ahcich1:  at channel 1 on ahci0
ahcich2:  at channel 2 on ahci0
ahcich3:  at channel 3 on ahci0
ahcich4:  at channel 4 on ahci0
ahcich5:  at channel 5 on ahci0
ahcich6:  at channel 6 on ahci0
ahcich7:  at channel 7 on ahci0
ahciem0:  at channel 2147483647 on ahci0
device_attach: ahciem0 attach returned 6
pcib7:  irq 16 at device 27.0 on pci0
pci7:  on pcib7
pcib8:  irq 16 at device 27.4 on pci0
pci8:  on pcib8
ix0:  mem 0x4011800000-0x4011bfffff,0x4011c04000-0x4011c07fff irq 16 at device 0.0 on pci8
ix0: Using 2048 TX descriptors and 2048 RX descriptors
ix0: Using 6 RX queues 6 TX queues
ix0: Using MSI-X interrupts with 7 vectors
ix0: allocated for 6 queues
ix0: allocated for 6 rx queues
ix0: Ethernet address: d0:50:99:d9:f0:97
ix0: PCI Express Bus: Speed 8.0GT/s Width x4
ix0: netmap queues/slots: TX 6/2048, RX 6/2048
ix1:  mem 0x4011400000-0x40117fffff,0x4011c00000-0x4011c03fff irq 17 at device 0.1 on pci8
ixl1: Link is up, 10 Gbps Full Duplex, Requested FEC: None, Negotiated FEC: None, Autoneg: False, Flow Control: None
ixl1: link state changed to UP
ix1: Using 2048 TX descriptors and 2048 RX descriptors
ix1: Using 6 RX queues 6 TX queues
ix1: Using MSI-X interrupts with 7 vectors
ix1: allocated for 6 queues
ix1: allocated for 6 rx queues
ix1: Ethernet address: d0:50:99:d9:f0:96
ix1: PCI Express Bus: Speed 8.0GT/s Width x4
ix1: netmap queues/slots: TX 6/2048, RX 6/2048
pcib9:  irq 16 at device 28.0 on pci0
pci9:  on pcib9
pcib10:  irq 16 at device 0.0 on pci9
pci10:  on pcib10
vgapci1:  port 0x3000-0x307f mem 0x80000000-0x80ffffff,0x81000000-0x8101ffff irq 16 at device 0.0 on pci10
pcib11:  irq 16 at device 29.0 on pci0
pci11:  on pcib11
nvme0:  mem 0x81600000-0x81603fff irq 16 at device 0.0 on pci11
ixl0: Link is up, 10 Gbps Full Duplex, Requested FEC: None, Negotiated FEC: None, Autoneg: False, Flow Control: None
ixl0: link state changed to UP
pci0:  at device 30.0 (no driver attached)
isab0:  at device 31.0 on pci0
isa0:  on isab0
pci0:  at device 31.5 (no driver attached)
acpi_button0:  on acpi0
acpi_tz0:  on acpi0
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart1: <16550 or compatible> port 0x2f8-0x2ff irq 3 on acpi0
acpi_syscontainer0:  on acpi0
orm0:  at iomem 0xc0000-0xc7fff pnpid ORM0000 on isa0
atrtc0:  at port 0x70 irq 8 on isa0
atrtc0: Warning: Couldn't map I/O.
atrtc0: registered as a time-of-day clock, resolution 1.000000s
Event timer "RTC" frequency 32768 Hz quality 0
est0:  on cpu0
Timecounters tick every 1.000 msec
ugen0.1: <0x8086 XHCI root HUB> at usbus0
uhub0: <0x8086 XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1> on usbus0
nvd0:  NVMe namespace
nvd0: 244198MB (500118192 512 byte sectors)
Trying to mount root from ufs:/dev/gpt/rootfs [rw]...
WARNING: /mnt was not properly dismounted
WARNING: /mnt: mount pending error: blocks 0 files 1
WARNING: /mnt: reload pending error: blocks 0 files 1
/var/crash/info.0:

Code: [Select]

Dump header from device: /dev/gpt/swapfs
  Architecture: amd64
  Architecture Version: 4
  Dump Length: 74752
  Blocksize: 512
  Compression: none
  Dumptime: Sat Dec  4 11:47:41 2021
  Hostname:
  Magic: FreeBSD Text Dump
  Version String: FreeBSD 12.1-RELEASE-p21-HBSD #0  1c99b63a2ba(stable/21.7)-dirty: Wed Nov 10 11:17:14 CET 2021
    root@sensey:/usr/obj/usr/src/amd64.amd64/sys/SMP
  Panic String: page fault
  Dump Parity: 3066618741
  Bounds: 0
  Dump Status: good
/var/crash/textdump.tar.0: See https://pastebin.com/407qeQMu

7

Virtual private networks / Wireguard VPN Client / Local Endpoint over specific Interface

« on: November 13, 2021, 09:49:51 pm »

Good afternoon,

for my IPsec VPN(s) connections on my OPNSense I can specify a specific interface that traffic shall go over, for my Wireguard ones I cannot however. Is there any way I can tell OPNSense / Wireguard to not use the default interface/gateway etc, but use a specific one?

Given that the UI seemingly does not expose such an option, I tried using a Firewall Lan rule to use the specific second / WAN2 gateway for the Wireguard servers as destionation(s), but to no success.. the Wireguard traffic is still going over the default WAN1 one.

I may have just misconfigured something, but is this generally possible one way or another, and if so.. how?


Thanks!
-Joerg

8

21.7 Legacy Series / Firewall>Aliases>URL Tables fetching not working reliably / Any known limits?

« on: October 26, 2021, 02:23:41 am »

Good evening,

I am trying to handle and route a bunch of networks differently through my OPNSense firewall and I was glad to see that it supports, in theory, url tables but my problem is that they are not fetched and imho incorrectly are logged as returning a 500 error.

First things first, I tried one URL table(s) alias with one URL and with multiple URLs, it happens either way. By it I mean, URLs that work and whose server answer the requests coming from my opnsense router with the correct content and HTTP 200, OPNSense logs as errorneous like this:

Code: [Select]

2021-10-25T20:06:23 /update_tables.py[33526] error fetching alias url https://workers.mycloudflaredomain.com/?asn=24424&ipv4=yes&details=yes
2021-10-25T20:06:23 /update_tables.py[33526] error fetching alias url https://workers.mycloudflaredomain.com/?asn=24424&ipv4=yes&details=yes [http_code:500]
I am/was watching this particular request come in and the server returning a 200 OK response, however in the OPNSense log it says 500 and it does not import the values.

I am not a 100% certain what's going on here and I am not 'blaming' OPNsense here, I must be missing something.

Has anyone seen something similar before and knows what to do? I can gladly provide the full URL tables list for debug purposes, if needed.

Thanks!
-Joerg

9

General Discussion / 2 Wan interfaces > Use one for Wireguard exclusively?

« on: October 09, 2021, 06:16:59 pm »

Good afternoon,

I have two physical WAN connections and I was wondering IF and HOW I could use one of them to

• Connect to a VPN via Wireguard over one of these WAN interfaces (only over that one and that one should be exclusively used for that Wireguard connection)
• Use that Wireguard VPN / its connection to route one specific local system to the outside world / other end of the VPN

I see that for OpenVPN and Ipsec connections you can apparently select an interface, but I can't find something like that for the os-wireguard plugin / VPN's settings (or I'm just missing it).


Is that possible currently (running 21.7.3_3 + v1.7 of the os-wireguard plugin) and if so, how?

Thanks and best regards!
-J

10

General Discussion / Multi-Wan Problems with (in)correct WAN/Lan IPv6 setup (I suppose)

« on: August 20, 2021, 05:59:29 am »

Good evening,

we have Comcast Gigabit Pro here which comes with a one 1Gbit and one 2Gbit combo and I'd like to use the two in a load balancing setup. Failover wouldn't make sense because at the end of the day it's all just one fiber, so why not just combine them to 2+1.

Both work individually if/when I try them as the sole WAN interface interchangeably. However, as soon as I follow the usual multi-wan tutorials, I notice that many sites (seemingly IPv6 ones) don't work round about the 2:1 weight/ratio I set the multi-wan up.

Basically the ISP provides a set of one static IPv4 and one static IPv6 address for the 1gbit and the 2gbit and these all are in different ip ranges.

I've set the (one) lan interface I have to a /64 (out of the /48 they route) of the 2gibt connection and I assume that, during multi-wan using the 1gbit line, the problem is that the Lan's /64 network (which my local clients get via DHCPv6/RA on that Lan interface)... is just wrong or so. I am not sure if I am missing something, but I simply assume that's the reason why multi-wan doesn't properly work.

Does anyone know how I would/should/could do that? Two entirely different static IPv4 and IPv6 WANs with one LAN and all that in a load-balanced setup?

Any hints / typical mistakes or help would be greatly appreciated!

Thanks,
-Joerg