Bug? MultiWAN sending packets on wrong interface

Started by knebb, December 05, 2023, 04:11:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 05, 2023, 04:11:17 PM
Hi,

I have a Multi-WAN setup an configured it according to the documentation.

Now I tried to access my OPNSense Web-GUI on the configured port from Internet (WAN), but it failed on one of the interfaces.

After checking evry related items a packe capture revealed the reason why it fails:

OPNSense answers th request on the WAN1 interface with the (correct) source IP of the WAN1 interface but sends the packet out on WAN2 which is a different ISP and thus a different IP network. The ISP then obviously drops the packet with the wrong source IP.

Here's the result of the packet capture. ROTDSLDIREKT with $DSLIP is WAN2 and ROT with $GFIP is WAN1.
Code Select

Schnittstelle Zeitstempel SRC DST output
ROTDSLDIREKT pppoe0 2023-12-04 10:50:35.769841 length 48: $GFIP.8443 > $INETPC.37505: tcp 0
ROTDSLDIREKT pppoe0 2023-12-04 10:50:35.942055 length 48: $GFIP.8443 > $INETPC.37507: tcp 0
ROTDSLDIREKT pppoe0 2023-12-04 10:50:37.984069 length 48: $GFIP.8443 > $INETPC.37505: tcp 0
ROT igc1 2023-12-04 10:50:34.751383 84:b8:02:e2:1d:40 dc:58:bc:e0:5c:60 IPv4, length 60: $INETPC.37505 > $GFIP.8443: tcp 0
ROT igc1 2023-12-04 10:50:34.879659 84:b8:02:e2:1d:40 dc:58:bc:e0:5c:60 IPv4, length 60: $INETPC.37507 > $GFIP.8443: tcp 0 

Any ideas how to fix?
Or is this a bug?
BTW: I already asked in the German forum but I guess it is a very special topic so I did not get any reply.

/KNEBB
December 06, 2023, 05:03:42 PM #1
Firewall -> Settings -> Advanced:

QuoteDisable reply-to on WAN rules

With Multi-WAN you generally want to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default. When using bridging, you must disable this behavior if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.

Did that get enabled?
December 07, 2023, 11:46:32 AM #2
Hi,

I checked this and is was on the defualt setting (unticked).

I just re-checked what was going on on my system and it turned out, meanwhile (definitely no manual change!) the packets go out on the correct interface and I can connect through both Multi-WAN IPs.

Do not ask me what was wrong when I did the capture....

/KNEBB
December 07, 2023, 12:20:34 PM #3 Last Edit: December 07, 2023, 01:28:53 PM by meyergru
Wrong thread, sorry...
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions