[SOLVED] A bit confused about the Upstream Gateway?

[Hektor]

Hello,

I did set up OPNsense as a Hyper-V virtual machine which should act as a firewall replacement to our FRITZ!Box router and some pfSense I did set up for testing. WAN is changing also from ADSL to a fixed IP and some SDSL line. So I can set it up without taking everything offline - just switching the gateway on all clients when I'm done.

The box should primarily do some NAT and firewalling.

Configuration was ok so far but I'm not sure what this Interfaces -> Upstream Gateway setting means and what it is used for?

I can reach the internet from this machine's console so the default gateway is set to the SDSL router already. I can do OPNsense updates as well.

Regards

[franco]

If there is a separate upstream link via the Interface then it may not be advertised due extra routers between the gateway and your interface and/or because the network was set up statically and doesn't automatically set an upstream gateway via e.g. DHCP.

If you are unsure, chances are high that you simply don't need the setting in your network.

[Hektor]

Hi franco,

thx for your reply but I think I need that setting :-)

To be honest I didn't understand your reply but I tried to get NAT for the LAN to WAN working and it didn't work at all until I activated the upstream gateway on the WAN interface. What does this setting do?

My set up is like this:
LAN -> OPNsense -> WAN with Upstream Gateway to the router with a fixed external IP address

WAN is a SDSL line with a router and a small /29 network assigned. So a very basic network.

I never had to add such a gateway in any setups I did since years. Be it on OpenBSD, Linux or Windows or some Astaro/Sophos/SonicWALL etc. So either something fundamentally changed or it was done in the background for me ;-)

The default gateway is set already and it's the same IP like the upstream gateway so I don't get it why this setting is needed?

I also noticed that the pf rules grew from 66 rules to 68 rules and with the upstream link set it shows the "Default LAN to any rule" applied.

Is there some official documentation for this setting?

[franco]

To be honest I didn't understand your reply but I tried to get NAT for the LAN to WAN working and it didn't work at all until I activated the upstream gateway on the WAN interface. What does this setting do?

Okay, let's recap. When you pick "static IPv4" for WAN configuration, you are able to select an upstream gateway. That is because there is no auto-configuration for where "upstream" may be reached. Generally, that "upstream" is a router that connects to a different network segment, but that is physically connected with the WAN interface. Normally, though, that router is inside the same subnet that you configure for your WAN. This also gets picked up as the default gateway, assuming it's a good guess that other segments may be reached from there, maybe even the Internet.

My set up is like this:
LAN -> OPNsense -> WAN with Upstream Gateway to the router with a fixed external IP address

WAN is a SDSL line with a router and a small /29 network assigned. So a very basic network.

Yes, this setup needs the router IP from the /29 in the WAN gateway settings. For ease of configuration that gateway is added to the gateways section to enable assorted tweaking and monitoring options.

I never had to add such a gateway in any setups I did since years. Be it on OpenBSD, Linux or Windows or some Astaro/Sophos/SonicWALL etc. So either something fundamentally changed or it was done in the background for me ;-)

The default gateway is set already and it's the same IP like the upstream gateway so I don't get it why this setting is needed?

Where exactly is that default upstream gateway setting you speak of. Maybe it's just miscommunication between us.

I also noticed that the pf rules grew from 66 rules to 68 rules and with the upstream link set it shows the "Default LAN to any rule" applied.

Is there some official documentation for this setting?

Some docs courtesy of pfSense: https://doc.pfsense.org/index.php/Gateway_Settings