Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
[SOLVED] Block certain subnets from using gateway during failover in Multi WAN
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Block certain subnets from using gateway during failover in Multi WAN (Read 1257 times)
polarluminol
Newbie
Posts: 4
Karma: 0
[SOLVED] Block certain subnets from using gateway during failover in Multi WAN
«
on:
March 15, 2023, 05:27:07 am »
I am trying to figure out the best way to block certain subnets from using the alternate WAN during failover. Here is an example of what I am doing to use-policy based routing to meet my network use requirements:
WAN1 - Internet access 1
WAN2 - Internet access 2
DMZ1 -
Must
use WAN1 gateway and appear on WAN1 IP
DMZ2 -
Must
use WAN2 gateway and appear on WAN2 IP
LAN-A - Default gateway (WAN preference is unnecessary)
LAN-B - GWgroup1 (WAN1 preferred, WAN2 alternate)
LAN-C - GWgroup2 (WAN2 preferred, WAN1 alternate)
LAN-D - GW1 - WAN1 only (WAN preference is preferred, but not critical)
LAN-E - GW2 - WAN2 only (WAN preference is preferred, but not critical)
During normal circumstances, everything works and failover to alternate WAN works. The problem is that during failover, both of my DMZ hosts start using whichever WAN connection is up. This is causing conflicts in the services I am running are sensitive to public IP (the application detects the public IP being used and then does not go back).
How do I prevent each DMZ from using an alternate WAN IP during failover?
I would have assumed that specifying the gateway in a rule for policy-based routing would enforce only using that gateway in all circumstances. I have considered a firewall rule (such as creating a block rule on WAN2 that blocks all traffic with source DMZ1), but I'm not sure if this is the best way.
Also of note is that the only time I specify the gateway or gateway group is for internet access firewall rules. All of my local LAN and DMZ filtering using the default gateway.
Help appreciated! Please let me know if it helps to describe this situation further or if specific details are needed. Thank you.
SOLUTION:
Go to
Firewall: Settings: Advanced: Skip rules
Check "Skip rules when gateway is down"
«
Last Edit: March 16, 2023, 01:41:21 am by polarluminol
»
Logged
tiermutter
Hero Member
Posts: 1102
Karma: 61
Re: Block certain subnets from using gateway during failover in Multi WAN
«
Reply #1 on:
March 15, 2023, 06:08:56 am »
DMZ1 and DMZ2 such as LAN A-E are all subnets or clients in DMZ and LAN subnet?
For subnets just change the gateway of default allow rule to your preference.
For clients create an alias containing the MAC of the clients, create a pass rule on the specific interface (LAN/DMZ), set source to the alias an gateway to your preference. Place this rule above default allow and remember doing the same for IPv6 if needed. Do this for all affected "internet access rules".
Blocking on WAN side is imho not required.
Logged
i am not an expert... just trying to help...
polarluminol
Newbie
Posts: 4
Karma: 0
Re: Block certain subnets from using gateway during failover in Multi WAN
«
Reply #2 on:
March 15, 2023, 04:31:53 pm »
DMZ1, DMZ2, and LANs A-E all represent subnets that have their own VLAN.
I believe I am already doing your suggestion. My current rules for the DMZ are:
Action
Source
Destination
Gateway
BLOCK
DMZ1 net
LAN A-E
*
BLOCK
DMZ1 net
Other private networks
*
PASS
DMZ1 net
*
WAN1
Given the third rule above, I'm not sure why DMZ1 hosts would somehow be detecting the WAN2 IP.
Logged
polarluminol
Newbie
Posts: 4
Karma: 0
Re: Block certain subnets from using gateway during failover in Multi WAN
«
Reply #3 on:
March 15, 2023, 09:45:26 pm »
So far I have tried the following rules, both of which had no effect:
WAN2 Interface Rules
Action
Source
Destination
Gateway
BLOCK
DMZ1 net
*
*
DMZ1 Interface Rules
Action
Source
Destination
Gateway
PASS
DMZ1 net
*
GW_WAN1
BLOCK
DMZ1 net
*
GW_WAN2
My DMZ1 subnet always manages to route through WAN2.
Logged
tiermutter
Hero Member
Posts: 1102
Karma: 61
Re: Block certain subnets from using gateway during failover in Multi WAN
«
Reply #4 on:
March 15, 2023, 09:58:49 pm »
Is there a default allow rule on eg DMZ1?
Then just change the gateway. There is no need to set the source to DMZ1_net.
Logged
i am not an expert... just trying to help...
polarluminol
Newbie
Posts: 4
Karma: 0
Re: Block certain subnets from using gateway during failover in Multi WAN
«
Reply #5 on:
March 15, 2023, 10:57:41 pm »
Pretty sure I found the setting:
Firewall: Settings: Advanced: Skip rules
Check "Skip rules when gateway is down"
My testing has performed the desired effect. When WAN 1 is down, DMZ1 can't access internet at all, yet subnets with GWgroup1 (WAN1 preferred, WAN2 alternate) properly failover to WAN2 and then return to WAN1 when WAN1 is back.
Thanks for helping!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
[SOLVED] Block certain subnets from using gateway during failover in Multi WAN