MultiWan and VLAN Firewall Rules

Started by wiesel2482, November 08, 2020, 12:01:03 PM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
November 08, 2020, 12:01:03 PM Last Edit: November 08, 2020, 12:31:38 PM by wiesel2482
Hi,
I've got Version 20.7.4 and have a problem with configuring the Firewall Rules for my WAN Gateway Group. On Friday I''ve bought a 5G/LTE Router (ZTE MC801A) with a provider contract to use it as a Load Balancing opportunity for my normal Internet home connection (WISP). Cause we have two teenagers who use the Internet connection externsivley with Home Schooling and a Dad who need it for Home Office  ;D
Ok enough of explaining!
I have a setup with VLAN's and two ISP's. I've tried to bring my normal Clearnet VLAN to work with my Gateway Load Balancing Group, but everytime I switch my Firewall Rule for Outgoing Wan traffic to use the GW Group everything stop working like the MGMT Webui of OpnSense (can't reach anymore) and the Internet connection. Don't have any glue what I'am doing wrong. Tried tons of tutorials and how to's from OpnSense Official down to reddit and something else....
If I deactivate the Clearnet to any rule (you can see it in the Firewall Rule Screenshot) then everything stop working. With this any rule the GW Group is also not working cause this rule will allow the whole traffic out without any policy routing from what I understand and this is what I don't want....Yes I'am a noob  ::)
Maybe somebody can help a stressed dad to get the family peace back to normal.... :'(
I add screenshots of my Firewall Rules and other configs.
Thank you
Regards
Wiesel
November 08, 2020, 12:41:00 PM #1
Maybe I have the same problem -> https://forum.opnsense.org/index.php?topic=17116.0
Don't know but I have sticky connection activated...should I deactivate it ? But then it would not work for some Websites and Services or I'am wrong?
November 08, 2020, 01:33:43 PM #2
I've now deactivated the sticky connection check and now internet works without the clearnet to any rule... But opnsense mgmt webui doesn't work at all.... What is wrong?
November 10, 2020, 09:59:51 AM #3
Ok some Update: I reinstalled OpnSense and made all configurations fresh. Made everything in Firewall Rules for my VLAN as mentioned in the opnsense docs. Made a default VLAN to any rule with the Load Balance GW Group. Also made the DNS rule. Also made a VLAN to all Local Subnets with default GW above the rule with the Load Balance GW Group. The Problem with losing connection to the Opnsense Webui  and after some time also the internet connection is gone persists.....

I really appreciate some help. Don't have any glue what's going on.

Regards
November 10, 2020, 03:44:26 PM #4
For more information I send you some screenshots. Maybe somebody see any problem
PART 1
November 10, 2020, 03:45:43 PM #5
For more information I send you some screenshots. Maybe somebody see any problem
PART 2
November 10, 2020, 09:07:12 PM #6
Ok, first of all, please provide a graphical network plan with IP addresses and VLAN definitions.

It's very hard to understand why a rule that should do something towards WAN will lock you out completely from the WebGui of OPNsense. Never happened to me.
,,The S in IoT stands for Security!" :)
November 11, 2020, 05:14:49 PM #7
Thank you! I've already found out what the issue was! If you use sticky connections and shared forwarding then you experience that the internet connection drops if you activate the policy based routing rule in the firewall with the load balancer group. Found an old Github bug report about this and tried it... Et vous la it works if you deactivate shared forwarding and leave sticky connection enabled. So maybe this is a bug from past that never been corrected... I don't know!? The problem is now that I don't know if traffic shaping is working without this shared forwarding setting. Anyone knows?
Regards
November 17, 2020, 06:36:50 PM #8
Does the  internet drop because nothgin works or do you just see dropped packets but internet in general is working?
November 17, 2020, 08:23:22 PM #9 Last Edit: November 17, 2020, 08:25:17 PM by wiesel2482
If I activate both options in Multiwan Settings in Advanced Firewall Settings than Internet gone for my clients in the VLAN. If I look into the Firewall Live he drops every package that goes to both Wan connections alternatley with the default deny rule. Sometimes the connection works and my clients show some websites as long as the connection doesn't switch from one wan to the other wan -> Screenshot

When I deactivate Sticky Connection it starts working normal and Opnsense using both Wan connections. Also if I deactivate Shared Forwarding and leave sticky connection activated.
November 17, 2020, 08:32:38 PM #10
OK, I reread my old thread collection in #38, it seems this is really a limitation. Was long ago and not in my mind. I'll have a talk to Franco, but no promise, shared forwarding is kind of a hack
November 17, 2020, 08:39:52 PM #11
ok thank you very much. Maybe there is a possibility..... ::) The problem is that I want to use Traffic Shaping with both Wan connections. And this only possible with Shared Forwarding from what I understand.
November 17, 2020, 09:44:15 PM #12
And there are many sites mit working when using SF with  sticky disabled?

Last time I had a customer with loadsharing 2 x 1gbit svdsl and with Speedtest we reached 1,9 gbit
November 18, 2020, 09:01:43 AM #13
Yes if disable "Sticky Connections" and leave SF enabled Wan Group is working as expected. It's switching between the two Wan connections. I have a WISP connection with 30/10 Mbps and a 4G with a maximum of 100/40 Mbps. 
November 18, 2020, 03:57:01 PM #14
And do you experience any problems with this setting? If everything is ok, maybe just the documentation needs an update :)
Print
Go Up Pages1 2 3
User actions