Multi-WAN: how to force traffic to one specific gateway?

Started by hase, June 15, 2023, 12:57:59 PM

Previous topic - Next topic
Hi,
I am a bit experienced with IP, but a relative noob with opnsense.

I do have a Multi-WAN Setup working, and the automatic switching between my (fast but flaky) cable and (notsofast, reliable) DSL seems to work fine.

For $Reasons I also have some devices on the Network handled by the DSL router besides the opnsense.

I did manage to access the DSL routers web interface (IP 192.168.177.1, also the DSL-GW in Tier2 of the CABLE-DSL gateway group)  from computers on the LAN.
But when I try to reach any device within 192.168.177/24 other than the .1, the traffic goes out to the Cable-GW.
I see that as incoming traffic on the WAN (=Cable) interface on the opnsense: blocked by the default rules.

I do have an FW rule on the LAN interface for the destination range 192.168.177/24 with Gateway DSL-GW, direction in (also tried out, same effect). the rule is atop the rule permitting LAN-originated traffice to 0/0.
Also, as far as I undestand the BSD routing table (as presented in the opnsense Web interface), the routing engine of the IP stack shoould direct dest-192.168.177/24 traffic through the respective ethernet interface.

I want the FW to default all traffic through the cable router and only fall back to DSL in exceptions (cable down), but I also want management traffic to my legacy network from the office network...

What am I missing?

merci
hase

Can you add some basic network schema (for example a NwDiag from Kroki) and firewall rules list?

If I got it right:


  • You have to WAN connections, both in a "CABLE-DSL" gateway group:

    • Cable, using the "CABLE-DSL" gateway, is at tier 1
    • DSL, using the "DSL-GW" gateway, is at tier 2, OPNsense uses IP 192.168.177.1 to contact it
  • Failover works: Internet access from your LAN uses Cable if available and continues to work if one of your 2 WAN is down (automatic switches)
  • You managed (how?) to access 192.168.177.1 address (DSL-GW's)
  • You have other devices on 192.168.177.0/24 network that you want to access but when you try to contact them using their 192.168.177.0/24 IP, OPNsense routes traffic to CABLE-DSL which it discards/reject

I guess each router has it's own network address and your LAN is also on a distinct network address.

Usually, to force a WAN for a given destination (host or network), you have to create firewall rule that sets the gateway to the one you want (in your case "DSL-GW" in lieu of "CABLE-DSL").

Hi,

I did compose a reply post here - quite long - and then it hit me.
The problem is that my LAN->DSL net traffic is going through NAT.

My network is very basic (for now):
- DSL router 192.168.177.1
-- has its own wlan with existing clients
- cable router 192.168.176.1
- opnsense appliance
-- interface WAN: DHCP client to the cable router (opnsense-IP fixed in DHCP, set as exposed host)
-- interface DSL: DHCP client to the DSL router (opnsense-IP fixed in DHCP, set as exposed host)
--interface LAN: internal, firewalled network.
--- DHCPv4 server in opnsense

Because the opnsense applies the NAT, the SYN-packet from my LAN device is modified (source address is set to an IP of the opnsense).
This modified packet is then fed to the firewall, therefore the auto-generated roule marked "let out anything from firewall host itself (force gw)" is applied - and this forces the ateway to the cable router, as that is currently active.

So the new question is: how do I bypass NAT for some of my traffic while applying it to Internet-bound traffic?

I will fiddle with that for a moment.

thanks for talking :-)
greetings from a hot Berlin/Germany
hase