Routing traffic originated from OPNsense

[jrhjr]

I am switching back to OPNsense after a couple years running pfSense and I have a question about routing traffic originated by OPNsense. First let me touch on my config... I have a single WAN connection with multiple VPN (client) connections. The VPN connections should always ride over the WAN connection (something I'm struggling with right now) - but all other traffic should route over the VPN.

What I am really concerned with is DNS traffic originated from Adguard Home running on my OPNsense device. I want the DNS forwarded lookups to follow the path in my gateway group (which tiers to the VPNs first and the WAN last). So far it seems that this (and all) traffic originating from OPNsense is not subject to policy based routing and only follows the routing table.

In terms of using policy based routing, pfSense actually allowed for setting it's own default gateway to the gateway group - OPNsense doesn't seem to support this. OPNsense also doesn't seem to follow policy based routing (setting the gateway in a firewall rule) for it's own traffic. Is this correct? Or am I doing something wrong? The only thing I could do to conditionally route the traffic was to create static routes to the specific DNS resolvers/destinations - but I can't have multiple (prioritized) routes (one per VPN client) to those destinations? OPNsense let's me create more than one route to those destinations - but how it selects the path is not clear and only one path shows up in the routing table.

Given that OPNsense doesn't subject its own originated traffic to policy based routing rules the alternative seems to be to leverage routing priorities. The problem I'm having is that when I do this my VPN client traffic then follows this route (and everything becomes unstable) which I do not want. I want my VPN client traffic to always use the WAN. In the legacy VPN client options (and in pfSense) you could specify the interface to use for the connection but you can't with the newer instances method. I tried using a 127 address for binding but that doesn't seem to override the routing table. The only thing I haven't tried is creating static routes to the VPN servers; I'm fairly certain this will work but the destination VPN server IP changes frequently enough for this method to be problematic.

The only other solution I can come up with is to run AdGuard Home somewhere else within my home network. That ought to solve my problem - at the expense of another single point of failure.

So ... My questions ...

Is traffic originating from the OPNsense device subject to policy based routing?

Is there a way to specify the interface a VPN client instance uses for it's connection?

Is there a way to add multiple, prioritized static routes for a specific destination IP (in my case the DNS forwarders I will be forwarding to)?

In summary, I have multiple outbound VPN client connections in a gateway group along with the WAN connection (prioritized last). I'd like all non-VPN traffic to flow out the VPN connections unless they're down, then use the WAN. I've got it working well enough but am struggling with traffic originating from the firewall (and specifically Adguard Home).

[viragomann]

OPNsense also doesn't seem to follow policy based routing (setting the gateway in a firewall rule) for it's own traffic. Is this correct?

I don't think so.

However, you have to consider the traffic flow and rule processing order.

To catch traffic initiated by OPNsense itself, you can only use a floating rule with direction 'out'.
It might seem weird to add a rule on the WAN for outbound traffic to policy-route it out on a different interface, but as far as I know, it should work this way.