Multi WAN instructions - errors in manual how-to?

Started by verulian, July 26, 2022, 09:47:31 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 26, 2022, 09:47:31 AM
I'm attempting to set up an OPNsense system with 3 WAN gateways in a group for failover and load balancing with priority on WAN1 ethernet port.

I was following the following instructions without too much trouble, until I hit "Step 5 - Add allow rule for DNS traffic":
https://docs.opnsense.org/manual/how-tos/multiwan.html

Step 4 started to seem a little iffy and then when I hit Step 5 I went entirely off the rails. First you see:
Quote
Add a rule just above the default LAN allow rule to make sure traffic to and from the firewall on port 53 (DNS) is not going to be routed to the Gateway Group that we just defined.

Start with pressing the + icon in the bottom left corner.

First, I wasn't sure what it meant by "Add a rule just above the default LAN allow rule..."

In my case I have LAN1, LAN2, and LAN3 in a "LANSwitch" bridge (bridge0; see: https://docs.opnsense.org/manual/how-tos/lan_bridge.html) and then I have WAN1, WAN2, and WAN3 in a  Gateways → Group called WANGROUP with each different WAN1_DHCP, WAN2_DHCP, and WAN3_DHCP all in tiers 1 through 3 for priority and set up as per instructions in the initial multiwan URL above.

So while I wasn't sure what that meant as I said "Add a rule just above the default LAN allow rule..." I thought maybe it was talking about LANSwitch in my case since it's the bridge for my 3 ethernet LAN "switch" ports. I tried to edit that, but the instructions really didn't seem to line up at all well.

I then poked around elsewhere and really didn't find anything that matched up there either. The line "Start with pressing the + icon in the bottom left corner." also didn't line up with anything. I just don't see any "+" buttons in any bottom left corners anywhere......

Can someone point me to some more clear instructions about how to set up a multi WAN gateway setup that can fit my scenario as outlined? Or can these instructions from the official docs be clarified or expanded with screenshots to help make them more clear?
July 26, 2022, 03:08:30 PM #1
the DNS rule should be at top most, or above the allow all rule(multiwan)... this will make sure your DNS is handled by OPNsense first and not by your multiwan rule.

under firewall rules, at the upper right part, you should see a + sign for you to add a new rule. after adding it, it will be at the last and you have to move it up(check box, then click the arrow in the rule, it will put it above that)

your allow all rule(internet rule), you need to edit at the bottom there is a "gateway" setting,  select your multiwan gateway. this will tell opnsense that this rule will use that gateway instead.

I assume you have configured your multiwan gateway group already as you explained. putting each one on different tier will configure them as backups. tiers of the same level will be rotated by opnsense algorithm.

you may want to search the forum for the "sticky connection" check box especially if you have captive portal enabled.
July 26, 2022, 08:44:38 PM #2
Thank you- it seems as if you are saying I am supposed to modify rules for a group that should be there called "WANGROUP" (if I'm following the instructions exactly). For example, the instructions indicate, in Step 2:


And this is what I have in this WANGROUP:


But in Step 5 when I go to Firewall → Rules, I do not see "WANGROUP" in these rules that you seem to maybe indicate should be there (but you call "multwan" in your first sentance):


But in the instructions it does say "This rule will utilize the gateway group for all traffic coming from our LAN network" in the "!Note" in Step 4, which to me seems to make me think I need to use my "LANSwitch" bridge "group" from Interfaces → Other Types → Bridge:


So is there a problem with my Firewall → Rules listing where the "WANGROUP" is not showing or should I actually be working with "LANSwitch" and add the rule that you say there in "LANSwitch" instead?
July 28, 2022, 05:44:45 AM #3 Last Edit: July 28, 2022, 05:50:44 AM by tong2x
your setup is abit complex I guess, you have 3 lans and you bridge it together via "LanBridge" correct?

you also have 3 WANs, I suppose these are separate ISPs, correct?

your WANgroup is currently configure as backup, meaning, WAN1 priority, WAN2 2nd backup, WAN3 last backup. WAN2 will only be used if WAN1 is... packet loos or high latency... it is ok since you describe it as failover group.

to set a rule to a specific gateway/wangroup, you need to edit the rule
usually it is the last rule to allow all or internet rule

did I get it right, you want to use a specific gateway for your rule?

see image
https://ibb.co/vdJPLk0


https://ibb.co/4p5wLRr

July 29, 2022, 11:09:02 AM #4
I have a "switch" (setup as bridge0) called LANSwitch, yes.

Yes, I have 3 WAN ports with 3 ISPs. Two of them are active and the 3rd is just plugged in when needed as it is a hotspot from a wireless phone service and so is only active when there is trouble.

Yes, it is basically a failover group. WAN1 is Starlink and is the main fast connection. WAN2 is another ISP that is crap (10mbps), but it is always on and may be upgraded soon due to the phone system, but it's still even after an upgrade only be 1/3 to 1/5 the speed of Starlink WAN1. I think I'm going to modify it to be a kind of load balance arrangement so that WAN1 is weighted much more heavily at 10-20x, but it's not really important.

I'm not entirely sure on the instructions is my problem. They seem unclear and so I'm not sure how to use the gateway group properly. I sure wish there were simply not mistakes in the documentation.

I've been out of the office and am going to look closer at your instructions within the next several hours or so. Thank you.

I also stumbled upon something else I need to look at closely that might offer better screenshot steps to be more clear: https://www.thomas-krenn.com/de/wiki/OPNsense_Multi_WAN
Print
Go Up Pages1
User actions