Floating rule doesn't apply to the OPNSense itself

Started by tkost, October 12, 2024, 05:54:00 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 12, 2024, 05:54:00 AM
Hello everyone. Sorry for my English. I'm a newbie in networks and English :)

I have a problem with OPNSense. I need to route some subnets to a gateway other than the default wan interface. First, I created an alias named "those networks". Then I created a floating rule, stating that any traffic from any interface and any source to a destination named "those_networks" should use another gateway. After that, I tested this rule. All my clients go to the "those_networks" via another gateway, and go to another destination via the default wan interface. However, when I try to traceroute from the OPNSense, the OPNSense itself goes to "those_networks" via the default WAN interface. In other words, the OPNsense doesn't know where  to find "those_networks". In this case, I see that the automatically "let out anything from firewall host itself" rule applies.

Why doesn't my floating rule apply to the OPNSense itself?

I tried to write routes to "those_networks" in System->Routes->Configuration, and it works. But I can't use Aliases in the System Routes, and it's very inconvenient to write all networks in system routes and check for changes all the time.

How can I create rules so that the OPNSense itself knows where to find "those_networks", that "those_networks" are behind the gateway other than the default WAN gateway?
Can I create rules that apply before automatically created rules?
Can I create floating rules for the OPNSense itself?
And I want to be able to do this in the OPNSense webUI.
October 12, 2024, 06:43:28 AM #1 Last Edit: October 12, 2024, 07:07:29 AM by tkost
I add some information.
My default route to 0.0.0.0/0 via WAN interface.
And I have a second gateway, and "those_networks" are behind the second gateway. I want my OPNSense itself to route "those_networks" via the second gateway.
Clients from "those_networks" access to WAN gateway through my OPNSense, but OPNSense doesn't know where "those_networks"'s clients are, and OPNSense sends packets for "those_networks"'s clients to the wrong inteface (theWAN interface), but OPNSense must send packets for "those_networks"'s clients to the second gateway.

OPNsense 24.7.6-amd64
October 12, 2024, 02:05:12 PM #2
As you've discovered, policy-based routing doesn't apply to traffic originating from the firewall itself - only to traffic being forwarded through the firewall.
October 14, 2024, 05:46:08 AM #3
Quote from: dseven on October 12, 2024, 02:05:12 PM
policy-based routing doesn't apply to traffic originating from the firewall itself
Hello.
What is there a simple way to route some networks from the firewall itself with using hosts and networks aliases? To add manual routes for specific networks to the 'system->routes' and the rules of firewall is inconvienct, because the list of networks may change, and the tracking changes in two places is a point of failure. To change list networks in an aliase is more simple, it's one place with a readable name.
Or, maybe, you can suggest me another way. Thanks.
October 14, 2024, 12:44:13 PM #4
I don't believe that there is any way to use firewall aliases for route table population.

Routing is about knowing the path(s) to reach a given distination. Firewall policy is about whether or not traffic passing through the firewall should be allowed, and (optionally) which path should be taken (where there may be multiple options), considering the criteria in the rules.

The "enterprise" way to manage this would be to use a routing protocol, such as OSPF, rather than static routes. OPNsense does support OSPF and RIP [1], but it'd probably be more admin overhead than maintaining static routes, unless your scenario is complex enough to warrant it....

[1] https://docs.opnsense.org/manual/dynamic_routing.html
October 14, 2024, 12:50:13 PM #5
Quote from: dseven on October 14, 2024, 12:44:13 PM
I don't believe that there is any way to use firewall aliases for route table population.

As far as I know Opnsense does not support this at the moment, there's no real reason why it should not be possible though.
October 14, 2024, 02:43:49 PM #6
There's a setting "Disable force gateway" at Firewall: Settings: Advanced. Set the check mark to disable an automatic policy route.

This setting has a very non-descriptive name, uses double negation and is at best not helping the system. I would like to see it and its policy route go away.
Print
Go Up Pages1
User actions