Default gateway per vlan possible?

Started by freegoer, February 15, 2023, 09:45:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 15, 2023, 09:45:14 PM
I am newer to OPNSense so please bare with me if this is a very basic question/scenario. I have a single OPNSense device, two ISPs (Comcast and Verizon Cellular). I have multiple vlans (guest, IoT, Work, Personal, etc). I would like to have all IoT traffic used my Verizon WAN as a default Gateway and other vlans use Comcast WAN as their default Gateway. Is this possible?

I read about support for multi-wan, but it seems to be for fail-over (grouping gateways) not having two active default gateways? Apologies if I am mixing up some terminology here and appreciate any advice and assistance.
February 15, 2023, 09:51:15 PM #1
Perfectly possible. You will have an "allow all" or "allow some services" out to the Internet firewall rule for each VLAN. One of the things you can specify for each of these is the gateway to be used.

If you leave that unspecified, the single default gateway of the OPNsense itself is used. But as I said - define gateway per rule. No problem at all.

This is frequently referred to as "policy routing".
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 15, 2023, 10:12:31 PM #2
Ok that makes me feel better that it is possible. I read about PBR, but I think it is something I need to dig into more and experiment with. Thank you for confirming this.

On the interface for the vlan, i see an option to select a default gateway but the only option that appears is auto-detect. I guess I am missing what the gap is to allow to select a specific gateway? I must still be missing something there...?


February 15, 2023, 10:29:40 PM #3
Oh I see now, the default gateway is specific on the firewall rule not the interface, just noting here in case it helps someone else.
February 15, 2023, 10:32:57 PM #4
The gateway in the interface settings is for the OPNsense system itself and outside of rather special situations it's like Highlander - there can be only one.

Settings for clients that pass traffic through OPNsense go into rules.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 15, 2023, 10:38:18 PM #5 Last Edit: February 15, 2023, 10:56:58 PM by freegoer
Quote from: pmhausen on February 15, 2023, 10:32:57 PM
The gateway in the interface settings is for the OPNsense system itself and outside of rather special situations it's like Highlander - there can be only one.

Settings for clients that pass traffic through OPNsense go into rules.


Roger, that makes sense. I got the rule created and the client did show the correct public ip address of my verizon ISP. Only issue I have now is that the OPNSense Unbound DNS is not responding after I changed the default gateway? If I manually change the DNS setting on the client to a public DNS provider, it works great. So I need to figure that out. But this great and working as I had hoped. Thank you so much for your help and providing me guidance!
February 16, 2023, 05:31:22 PM #6
Documenting for completeness in the event this helps someone else.

After changing the default gateway for my existing allow_all firewall rule on my guest vlan, DNS to unbound was not working, getting no response from the DNS server. In troubleshooting I discovered I needed to add a specific rule to allow DNS (TCP/UDP port 53) to the firewall itself. DNS resolution started working and traffic routed through the verizon default gateway as expected.

@pmhausen Thank you again for time and help!

Print
Go Up Pages1
User actions