Messages

Looks everything fine so far... Now let's try setting up multi WAN without policy based routing...
Active the force gateway option and set WAN2 gateway to upstream. This should cause routing table to be used. If WAN1 is down, OPNsense will set WAN2 as default gateway, not using any gateway group. GW priority is already set correct for this.
Does this work?

I lost you in this part.
Wan gateway is the up stream right now.
Do you mean wan2 gateway configured it as upstream gateway too ? Or remove the wan gateway as upstream gateway and replace it with wan 2?

I mean firewall/settings (adv. settings?). There is a section about multi WAN.

i never knew it been there al the time,
i've been working with opnsense for last 10 years.

see attached.

... and a screenshot of firewall settings multi WAN section...

This one is missing, but looks good so far.

Are you referring to the LAN rule?
If yes this has one the failover gateway group I created as it gateway.
Do you mean something else ?

Thank you for your your support so far.
please see the below screenshot.

For what I can see there is no gateway given for default allow LAN to any rule.
Screenshot of gateway config is missing...

sorry i see i've uploaded the wrong screenshot. the right screen has the gateway on group "WANGROUP"on the gateway instead of the default.

Thank you for your response.

I followed the steps outlined in https://www.thomas-krenn.com/de/wiki/OPNsense_Multi_WAN. However, the guide did not cover gateway switching, which I attempted by enabling and disabling it, but it did not resolve the issue.

In the gateway log, when I removed the cable, I encountered the following error repeatedly for about 10 minutes, but the switch did not occur:



2024-03-16T11:21:20    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:19    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:18    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:17    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:16    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:15    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:14    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:13    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:12    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:11    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:10    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:09    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:08    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:07    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:06    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:05    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:04    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64

Attached is a screenshot showing that my outbound rules are correctly configured.
Thank you for the update.

I configured the WAN2 gateway as the default gateway, and the internet is functioning properly. Ping and browsing are successful. Similarly, when setting WAN1 gateway as the default gateway, it also works fine.

Please find attached a screenshot showing the LAN rules configuration.

Hi everyone,

I'm currently working on configuring multi-WAN on our OPNsense firewall. Despite following various tutorials, I'm encountering issues with the setup. Here's what I've done so far:

1. Created two gateways for the two upstream links from both ISPs. Both gateways are marked as "up."
2. Configured a gateway group with the option "member down" so that if the first gateway goes down, traffic should switch to the second one.
3. Added the gateway group to the LAN any any rule in the firewall settings.
4. Implemented a DNS rule at the top of the LAN firewall rules to forward DNS traffic to the firewall.
5. Specified both gateways in the system settings.

However, when I disabled the WAN1 interface to test the setup, nothing seemed to work. My question is: Are my configurations correct, or did I miss something? Is disabling WAN1 the wrong way to test this setup?

Your guidance on troubleshooting or any suggestions for improvement would be greatly appreciated.

Yes Opnsense is our DHCP server.
i noticed the AP recieved DHCP Ip from the rogue dhcp now.

Yes? What exactly is your problem?

Firewall > Aliases - create alias of type network with that network in it
Firewall > Rules > <interface> - create block rule

Thank you for your reply. Someone has attached a DHCP server to the existing network. It's for an organization( charitabilly ) I assist, and I want this DHCP to be blocked and not be distributed.

Hi Guys,

somehow i noticed this subnet in our network.
192.168.178.0/24.
is there a way to block it using a alias?

 I'm currently facing a routing issue that I'm hoping to get some guidance on.

Here's a brief overview of our setup:

We have two separate subnets from our ISP, both /29.
We are utilizing a layer 3 switch from our ISP with VLAN tagging to connect to the OPNsense firewall.
The switch port connecting to the OPNsense firewall is tagged with VLAN 130, and VLAN 130 is utilizing both /29 subnets for the uplink to the firewall.

What I'm attempting to achieve:

I want to separate the subnets so that the uplink will have two VLANs, specifically VLAN 130 and VLAN 131.
However, when I configure this setup, it seems to only route one subnet and not both.

The Cisco team has mentioned that OPNsense needs to be configured to route these subnets internally.

I would greatly appreciate any insights, advice, or guidance on how to properly configure OPNsense to internally route these subnets. If there are specific settings or configurations I should be looking at, please point me in the right direction.

Thank you in advance for your support!

i got this sorted out, we had a duplication on the rules.

thank you everyone.

this the only NAT rule i have on the NAT which is configured.
the same rule is created automatically on the WAN side.


So, I've got this setup with a single physical WAN cable. Our primary WAN IP is 1.2.3.1, and we're using 1.2.3.2 for an RDS gateway. I've set up an NAT rule to allow 443 to the gateway server, all good so far.

Now, here's the thing. IPs from 1.2.3.3 to 1.2.3.9 don't have specific NAT rules, but they are somehow accessible to the gateway. When I go to, say, https://1.2.3.3, it takes me to the Windows IIS on the gateway.

I've double-checked, and there's no explicit rule for these IPs. Any ideas on why this might be happening? I want them isolated unless I set up something specific for them.

Appreciate the help!

Hello,

Thank you for your response. I appreciate your request for more details. In my current configuration, I have a single NAT rule set up to direct external traffic to the internal server on port 443, specifically for the IP 1.2.3.4.

Just to clarify, my WAN address is 1.2.3.3. If you need more specific information or have additional questions about the NAT rules, feel free to ask.

I cannot make now a screenshot that why.

Hi everyone,

I hope you're doing well. I'm currently working on a networking project and could use some advice. Here's a brief overview of my setup:

I'm using two subnets on the WAN, each with a /29 configuration, providing me with a total of 8 IP addresses. These IPs are utilized as virtual IPs on the WAN side. My primary concern arises when configuring NAT for these IPs.

I've successfully configured NAT for one IP on port 443, directing traffic to the internal domain. However, I'm facing an issue with the remaining IPs. Even though I haven't set up NAT for these IPs, they seem to be accessible.

Any insights into why this might be happening and how I can ensure that only the intended IP with NAT is reachable? Your expertise would be greatly appreciated.

Thank you!