[SOLVED] Unable to access second upstream router GUI and network

[rick477]

[Solution: I had an outgoing allow all rule on my WAN1 interface. After deleting it access worked]

Background: I have set up OPNsense in my homelab to learn how it works and become familiar with the settings.

It is set up behind my ISP cable router on WAN0. WAN0 gets an IP address via DHCP from the upstream cable router. From a PC connected to LAN0 I can access the WAN0 net, the internet as well as the cable router's web GUI.

Now here is my problem: I connected a second upstream router (LTE) to WAN1 which shall ultimately act as a failover for when my primary cable connection drops out. But for now all I want is to access the second router's web GUI. WAN1 is set exactly like WAN0 and gets an IP address via DHCP from the LTE router on a different net (see below). There are no conflicts in the IP addresses as far as I can tell. Accessing the web GUI is not possible. OPNsense shows that the WAN1 interface receives an IP from the DHCP server (DHCP server address is identical to the one I am trying to access)

Here is what I tried and what failed so far:

- I created rules to allow all in all out for WAN1 and LAN0

- I set WAN1 as gateway with a higher priority than WAN0 (lower number=higher priority).

- I disabled WAN0 completely

WAN0 net: 192.168.178.0/24. DHCP at 192.168.178.1. Internet and WAN0 net devices accessible
WAN1 net: 192.168.1.0/24. DHCP at 192.168.1.1. WAN1 devices not accessible
LAN0 net: 10.10.0.0/24. Device from where I am trying to access is at 10.10.0.100

[tiermutter]

Operating multi WAN (failover) causes traffic to use default route over the active gateway, thats why you can´t reach a modem acting as not active gateway. Changing the priority of a GW should do the trick, but only if the desired GW is marked as active and routes are changed.

I´m using multi WAN (failover) with gateway groups and policy based routing.
For the default allow rule on e.g. LAN the GW group will be added as gateway, causing all traffic to be routed to the online tier with higher priority.
Now, to always have access to the modem of the not-active GW, create a rule, placed below default allow, with the modems IP as destination and it´s GW. This causes all traffic for the modem to be routed to the modem, instead of being routed to the other WAN GW.

See screenshot for reference

[tiermutter]

Thinking about it, you do not need GW groups, the rules should work also without groups, but I am not sure...

[rick477]

These are screenshots for my settings at LAN0/Rules, gateways and rules. I cannot acess the net of the second WAN even when the standard WAN is deactivated, so it is the standard gateway in that condition.

[tiermutter]

In the case of your screenshots, the fritzbox should be accessible. What does the routing table show and what delivers a traceroute from PC to the fritbox IP?

[rick477]

Yes, the Fritzbox is accessible. What's not accessible is the second WAN_LTE

[rick477]

A traceroute from my PC to the WAN_LTE router hops to the LAN interface on OPNsense and then times out

[rick477]

Solution: I had an outgoing allow all rule on my WAN1 interface. After deleting it access worked

Thank you for your support

[tiermutter]

I had an outgoing allow all rule on my WAN1 interface.

Hm, ok... 

Now always both modems (fritzbox/LTE) are reachable, no matter what GW is active?

[rick477]

yes, both are accessible. Added a route for both networks so I can access both in any case

[tiermutter]

Ah ok, that's another way to achieve this