Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
[SOLVED] Multi-WAN policy routing question
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Multi-WAN policy routing question (Read 1818 times)
pjw
Newbie
Posts: 22
Karma: 1
[SOLVED] Multi-WAN policy routing question
«
on:
May 12, 2022, 08:14:09 pm »
Hello,
I've recently deployed a new OPNsense firewall into my home network. I have a somewhat complicated setup at home, which I'll describe below. But my overall question is I'm trying to push all outbound traffic from my home network that is headed to my work's WireGuard endpoints through one WAN uplink, and the rest of the home network traffic out the other WAN uplink.
My setup is mainly a Google WiFi mesh network that connects to the OPNsense into the LAN port (diagram attached). That does create a double-NAT, which isn't a huge deal, since I have a DMZ on VLAN20 to port-forward anything important through.
The issue though is I'm trying to filter any traffic coming into the LAN port (from the Google WiFi) that has a destination of my work's WireGuard endpoints, and pushing it into one of the specific gateways (specifically the Starlink). I already have gateway groups configured for failover, and that works great. But right now I'm just trying to policy-route the traffic headed for specific WireGuard endpoints outside of my network.
Trying to Google around for this always brings me to pages covering how to configure WireGuard on my OPNsense, which is not what I want to do here (I already have that).
I've attached a rough sketch of my network setup, and then a screenshot of my Firewall Rules for the LAN interface. Note that the Alias I used in the Starlink rule is a collection of the endpoint hostnames which all resolved correctly via DNS. Any and all help is greatly appreciated.
«
Last Edit: May 13, 2022, 10:38:41 pm by pjw
»
Logged
RedVortex
Jr. Member
Posts: 97
Karma: 9
Re: Multi-WAN policy routing question
«
Reply #1 on:
May 13, 2022, 12:31:02 am »
What you did seems good. I have a similar setup and it works well but I don't use wireguard.
However, make sure to also put your wireguard remote peer traffic go to the right gateway, not just your lan traffic. This may require a rule in the floating section or somewhere else so that the tunnel itself goes out the right provider, not just the traffic within it.
Also, wireguard is udp and Starlink will have a lot of packet loss, which is not abnormal for this type of link which may affect your throughout of even make udp over Starlink very unstable. I had to block QUIC over Starlink because of that (block udp to port 443) or else things like Facebook wouldn't work properly.
Logged
pjw
Newbie
Posts: 22
Karma: 1
Re: Multi-WAN policy routing question
«
Reply #2 on:
May 13, 2022, 10:38:23 pm »
I appreciate the reply!
I ended up figuring out what was going on. The rules themselves how I had them were actually correct. What bit me was the Sticky Connections setting under Firewall -> Settings -> Advanced -> Multi-WAN. Leaving it on I think is the right thing to do. But, when I was messing with the Firewall rules and trying to add new Policy-based routing, it never caused my work laptop to interrupt its connection to the WireGuard endpoints. So it stayed stuck on my initial gateway no matter what I did.
When I restarted the WireGuard tunnels on my work laptop, the new connections picked up the correct gateway in the firewall rules match. Gah!!!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
[SOLVED] Multi-WAN policy routing question