Topics

1

General Discussion / Floating rule doesn't apply to the OPNSense itself

« on: October 12, 2024, 05:54:00 am »

Hello everyone. Sorry for my English. I'm a newbie in networks and English

I have a problem with OPNSense. I need to route some subnets to a gateway other than the default wan interface. First, I created an alias named "those networks". Then I created a floating rule, stating that any traffic from any interface and any source to a destination named "those_networks" should use another gateway. After that, I tested this rule. All my clients go to the "those_networks" via another gateway, and go to another destination via the default wan interface. However, when I try to traceroute from the OPNSense, the OPNSense itself goes to "those_networks" via the default WAN interface. In other words, the OPNsense doesn't know where  to find "those_networks". In this case, I see that the automatically "let out anything from firewall host itself" rule applies.

Why doesn't my floating rule apply to the OPNSense itself?

I tried to write routes to "those_networks" in System->Routes->Configuration, and it works. But I can't use Aliases in the System Routes, and it's very inconvenient to write all networks in system routes and check for changes all the time.

How can I create rules so that the OPNSense itself knows where to find "those_networks", that "those_networks" are behind the gateway other than the default WAN gateway?
Can I create rules that apply before automatically created rules?
Can I create floating rules for the OPNSense itself?
And I want to be able to do this in the OPNSense webUI.

2

Zenarmor (Sensei) / Remote and local Hosts swap places with Wireguard

« on: May 06, 2024, 03:02:09 pm »

Hello.
I don't understand one thing.
I have LAN Interface (0/24), VLAN Interface (0/24), WAN Interface, and Wireguard Interface (0/24). I set to protect for LAN and Wireguard as LAN-zone and VPN-zone. I undestand that VLAN is included in LAN-zone. My Wireguards clients and LAN-clients use WAN interface as default route to Internet. I see in the Reports, in the TOP local hosts section, all LAN and Wireguard client ip-adresses, and in the Top of Remote Host section I see all internet adresses. And it is OK.
But when VLAN-clients use Wireguard tunnel as default route to Internet (by rule), in the Reports Local Hosts and Remote Hosts swap places. I see all Internet addresses in the Top Local Hosts section, and I see only a Wireguard Interface in Top Remote Hosts. I want to see these VLAN clients as local hosts and internet adresses as remote hosts. What did I do wrong?
When I set to protect only LAN, i don't see traffic with Wireguards clients in the reports. But I see the VLAN clients normally. in the Top local Hosts.