How to force wireguard egress through specific gateway?

[schmuessla]

I have a Multi WAN setup here. Primary connection is via DSL, backup via mobile network.
Everything works fine. If DSL goes down everything is routed via mobile network. However when DSL up goes up again the wireguard tunnel remains active on mobile network. This is the intended behaviour I think (sticky connections).
What options do I have if I want to switch back to DSL connection? Forcing a specific gateway and losing tunnel when DSL is down would also be fine.

[tracerrx]

In your firewall rules you can select the GATEWAY.  This should force that traffic to use the specified gateway...

The gateway dropdown is towards the bottom of the firewall edit/add screeen.

[schmuessla]

You mean the Interface specific firewall rules?
I think that doesn't work because everything needs to go through the tunnel, or did I miss something?

[tracerrx]

Yes, the interface specific firewall rule...

[schmuessla]

Hm I played with rules but it seems they don't influence the gateway wg picks.

[marcquark]

You could disable default gateway switching so opnsense will always use the primary line. Then use gateway groups and firewall rules to handle failover for clients. Could work but means your tunnel loses the benefits of redundancy

Wasn't there, at some point, an option somewhere to reset firewall states on gateway failover? That should do the trick, but i can't find it...

/e: I'm not crazy, it used to be there. But apparently that also only worked one-way. See https://forum.opnsense.org/index.php?topic=25818.0 and https://github.com/opnsense/core/issues/5387

I guess a custom script that checks for this condition and resets the WG tunnel if necessary is an option? Cronjobs don't allow custom scripts anymore, but monit does. So you could try your luck with that and selectively killing the tunnel's firewall state, should kick it back into using the primary gateway