How can I route to my other provider without leaving the building...

[kkoh]

Take a look at this simplified network diagram:


So I have a portion of my LAN users use one of the WAN's and another portion use the other. What I am trying to figure out is how I can route traffic that is coming from one side to the other without climbing all the way out of (for example) WAN-A's tree and back into WAN-B.

So as a User the firewall rule that I use sends me out the WAN-A above. For 99.999% of things that's great. But if I try to trace or ping to a public facing address on WAN-B I go all the way out until I hit a common peer and then come back. Shouldn't there be a way within the scope of my opnS box to say that when packets going out of WAN-A are destined for WAN-B/24 that it can stay inside my building somehow?

Sorry my route-fu isn't strong enough for me to figure this out. I'm afraid perhaps it's not possible as it would likely take some sore of nested firewall rule unless something in the System|Routes|Config can supersede the FW rules?

[kkoh]

For clarification, I have two gateway groups setup, one prefers WANa and fails over to WANb and the other is vice-versa. On the LAN firewall I have a /26 of my LAN network that uses GW Group 2 and a rule directly after that that uses GW Group 1. The DHCP range falls within that /26 and static IPs are used to control the others.

The LAN firewall also points DNS queries back to the opnsense IP on the LAN. Finally so that failover would work for either group I also have checked "Allow default gateway switching" checked in System|Setting|General.

This is all running on 19.1.1-amd64 with very little else configured save the DHCP, some openVPN, and a couple port forwards with IP-Aliases in NAT.

[newsense]

Unclear why you need WAN{a,b} for internal traffic.

Instead of LAN, you may be better suited with VLANs ?

Depending on the traffic, it would be fairly easy to say that users in VLAN1 can access say HTTPS:IP in VLAN2

Alternatively, define an alias for a group of IPs in one VLAN that need to access a service in the other.

End your rules with 'if nothing matches {route to internet | reject}'

[kkoh]

Unclear why you need WAN{a,b} for internal traffic.

Instead of LAN, you may be better suited with VLANs ?
Depending on the traffic, it would be fairly easy to say that users in VLAN1 can access say HTTPS:IP in VLAN2

Alternatively, define an alias for a group of IPs in one VLAN that need to access a service in the other.

End your rules with 'if nothing matches {route to internet | reject}'

Well I'm not talking about LAN to LAN here. I mean a client behind the firewall that is trying to get to a public IP on one of my WANs that is not serviced by the opnsense box. If they are on the part of the LAN that routes out WAN-A and the public IP is serviced by an IP in the range of WAN-B (I have two class Cs) then the traffic routes all the way up the tree via WAN-A and back down to WAN-B.

It seems like there should be a smart way to avoid that. So maybe the alias group(s) you're talking about would work. Would this perhaps be rules on the LAN FW that precede the gateway group preferred rules that route out of the other gateway if that WANs IP set is the match?