Traffic forwarded to the default gateway when the configured ones are down

Started by Astaoth, March 31, 2024, 05:18:39 AM

Previous topic - Next topic

I've encountered a very disturbing OPNSense behaviour and I was wondering if it was an expected one.

On my Opnsense 24.1.3 firewall, I've configured multiples interface gateways. Some of this gateways are grouped together, from the page under System > Gateways > Group. I've one of this group destined to my DNS traffic, and containes 2 gateways but not the default one. I'm not sure that changes anything, but the gateways from this group are from OpenVPN connections. For the lisibility, let's name this group GW-DNS.

On the outbound NAT part, my DNS servers have NATs configurations for the gateways through GW-DNS, and the LAN they are from has a NAT conf through the default gateway. Also, I don't know if it's relevant, I've selected the "Manual outbound NAT rule generation" option.

On the firewall rules, I've one which allows traffic from my DNS servers to the ports 53 and 853 through the GW-DNS. This rule is a quick one, and is named "DNS VPN".
I've no other rule which allows traffic to this dest ports, and neither which allows traffic from this servers (or the whole LAN) to internet, outside of debian mirrors.

Usually with my Opnsense firewall, nat and gateways configuration, my DNS traffic reaches external DNS servers through the GW-DNS and the "DNS VPN" rule.

However, I've discovered that if all of the GW-DNS are down (they have a red color in System > Gateways > Group), the DNS traffic from my DNS servers will still be forwarded  to their destinations with the "DNS VPN" rule, but through the default gateway.

This behaviour feels like a buggy one, but I'm probably missing something. Can anyone help me understand it ?

It's configurable behaviour.
Firewall: Settings: Advanced: Skip rules when gateway is down

OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).

Hi, this option is exactly what I was looking for, thank you for your help !