multi-wan failover configuration with single wan interface not working

[Dario]

I've been getting nuts for a couple of days, so I hope now some gentle soul could look into it as well, ... four eyes are better than two.

I'm currently running

OPNsense 25.1.8_1-amd64
FreeBSD 14.2-RELEASE-p3
OpenSSL 3.0.16

in a VM on ProxMox.

I have only one WAN interface (192.168.178.2) that is connected to a L2 switch where two WAN gateways have their own internal interfaces (192.168.178.1, GWDSL router and 192.168.178.3, GWLTE router). The firewall has also multiple LAN interfaces.

In the Interface configuration parameters of WAN, section Static IPv4 configuration, field IPv4 address I have 192.168.178.2/24 and in IPv4 gateway rules I can choose between Disabled / GWDSL and GWLET. I set GWDSL.

FW rules for WAN interface include, besides Automatically generated rules, in the following order, Local Route DNS for all IPv4 querying and default allow LAN to any rule, where gateway is set with the WANGWGroup created according to instructions.

To test failover, I disable from GUI the GWDSL and, after the necessary time out, the routing table is updated.

Unfortunately traffic is not routed over the failover GWLTE, unless I maually change the field IPv4 Gateway rules of the WAN interface from the current GWDSL to GWLTE, which kind of misses the point of automatic failover.

I haven't found other set-ups where the two WAN GWs are connected to the same OPNsense interface, so I couldn't compare my setup.

Any idea where the issue might be?

Thanks in advance
Dario

[t84a]

I'm far from an expert here but why aren't you using multi-wan and failover as designed by OPNSense using 2 interfaces?

[Dario]

I'm far from an expert here but why aren't you using multi-wan and failover as designed by OPNSense using 2 interfaces?

Thank you for your question. The reason being I have both gateways installed inside a cable box within the wall, both plugged in to a L2 switch with only one uplink cable that comes out and goes into one interface of the firewall.

As I cannot plug a second uplink cable towards the second interface of the firewall, in the meanwhile I ordered another L2 switch to install by the firewall, where I will plug in both the two interfaces of the firewall, thus falling back into the standard OPNSense setup.

To be honest, though, I am kind of minimalist, that is why I was trying to make it work with one interface only.

There must be a reason for which it doesn't. I just haven't figured out which one it is.

If it can be of any help, here a list of plug-ins I am also using on my firewall: maybe one of those could be the cause.

os-clamav
os-cpu-microcode-intel
os-etpro-telemetry
os-igmp-proxy
os-maltrail
os-mdns-repeater
os-nextcloud-backup
os-qemu-guest-agent
os-sensei
os-sensei-updater
os-sunyvalley
os-zerotier

Thank you again for looking into it.