Routing table changes from dual-WAN affecting VPN?

Started by jamesb2147, January 02, 2025, 02:10:48 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 02, 2025, 02:10:48 AM
Hi all,

I'm a bit lost as to why this is. I've got a WG setup from some time ago that was working fine up until I switched to dual WAN setup (I happen to use a failover config, not that it should matter).

What's weird is that ever since I setup the dual WAN, all my WG client traffic goes straight out to the internet via that backup/secondary link. Like, I'm dialing in on primary WAN, and it's all going out secondary WAN, EVEN THE INTERNAL TRAFFIC. I could see it in a pcap, destination IP address 192.168.2.2... like, wut.

Does anyone have any pointers on what might be causing that? I have some networking background, followed the Deciso guide for dual WAN with failover, and am confident I wouldn't have intentionally setup/misconfigured it in such a way as to route WG over secondary or something.

It's boggling my mind and any pointers or perspectives are appreciated!
January 02, 2025, 02:35:51 AM #1 Last Edit: January 02, 2025, 02:38:12 AM by jamesb2147
Added wrinkle:

I recently tried adding a WG S2S setup and inbound traffic from the remote site works fine. I can see ICMP packets traversing from a client on their site to a server on mine. I can also see the echo response coming into my main site's LAN port... and also going out the secondary WAN, NAT'ed, and destined for 192.168.2.2. It is supremely weird.

I just double checked the instructions about policy based routing (PBR) on multi WAN setups, and I am doing things as I expect I should: https://docs.opnsense.org/manual/how-tos/multiwan.html

At the top of the LAN firewall rules, I have PBR rule for any traffic destined for Cloudflare to bypass the LB_GW and use secondary because primary has sometimes-problematic misattributed geo-IP info. That def works, and I was always impressed with how simple it was to setup, behaving exactly as I'd expect.

I have a rule near the top for allowing 192.168.0.0/16 to 192.168.0.0/16 (I plan on having a number of remote sites) with a "process immediately" box checked, so it should stop processing on that firewall rule hit. There's no GW set so it should dump to the routing table. But it doesn't route to WG as it should.

Immediately after that is the any/any rule passing all over traffic to the LB_GW setup with failover. Obviously, I've tested that before, so I know it works.

Still scratching my head...
Print
Go Up Pages1
User actions