Multi Wan

[Cipher]

Hi everyone,

I'm currently working on configuring multi-WAN on our OPNsense firewall. Despite following various tutorials, I'm encountering issues with the setup. Here's what I've done so far:

1. Created two gateways for the two upstream links from both ISPs. Both gateways are marked as "up."
2. Configured a gateway group with the option "member down" so that if the first gateway goes down, traffic should switch to the second one.
3. Added the gateway group to the LAN any any rule in the firewall settings.
4. Implemented a DNS rule at the top of the LAN firewall rules to forward DNS traffic to the firewall.
5. Specified both gateways in the system settings.

However, when I disabled the WAN1 interface to test the setup, nothing seemed to work. My question is: Are my configurations correct, or did I miss something? Is disabling WAN1 the wrong way to test this setup?

Your guidance on troubleshooting or any suggestions for improvement would be greatly appreciated.

[tiermutter]

My question is: Are my configurations correct, or did I miss something?

To answer this question we need to know your setup ;) Please provide some screenshots.
Simply disabling WAN1 should work.

[Cipher]

Thank you for your response.

I followed the steps outlined in https://www.thomas-krenn.com/de/wiki/OPNsense_Multi_WAN. However, the guide did not cover gateway switching, which I attempted by enabling and disabling it, but it did not resolve the issue.

In the gateway log, when I removed the cable, I encountered the following error repeatedly for about 10 minutes, but the switch did not occur:



2024-03-16T11:21:20    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:19    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:18    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:17    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:16    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:15    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:14    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:13    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:12    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:11    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:10    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:09    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:08    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:07    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:06    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:05    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64   
2024-03-16T11:21:04    Warning    dpinger    Fiber 8.8.8.8: sendto error: 64

Attached is a screenshot showing that my outbound rules are correctly configured.
Thank you for the update.

I configured the WAN2 gateway as the default gateway, and the internet is functioning properly. Ping and browsing are successful. Similarly, when setting WAN1 gateway as the default gateway, it also works fine.

Please find attached a screenshot showing the LAN rules configuration.

[tiermutter]

For what I can see there is no gateway given for default allow LAN to any rule.
Screenshot of gateway config is missing...

[Cipher]

For what I can see there is no gateway given for default allow LAN to any rule.
Screenshot of gateway config is missing...

sorry i see i've uploaded the wrong screenshot. the right screen has the gateway on group "WANGROUP"on the gateway instead of the default.

[tiermutter]

Ok, then gateway screenshot please. Gateways switching should be enabled.

[tiermutter]

... and a screenshot of firewall settings multi WAN section...

[Cipher]

Thank you for your your support so far.
please see the below screenshot.

[tiermutter]

... and a screenshot of firewall settings multi WAN section...

This one is missing, but looks good so far.

[Cipher]

... and a screenshot of firewall settings multi WAN section...

This one is missing, but looks good so far.

Are you referring to the LAN rule?
If yes this has one the failover gateway group I created as it gateway.
Do you mean something else ?

[tiermutter]

I mean firewall/settings (adv. settings?). There is a section about multi WAN.

[Cipher]

I mean firewall/settings (adv. settings?). There is a section about multi WAN.

i never knew it been there al the time,
i've been working with opnsense for last 10 years.

see attached.

[tiermutter]

Looks everything fine so far... Now let's try setting up multi WAN without policy based routing...
Active the force gateway option and set WAN2 gateway to upstream. This should cause routing table to be used. If WAN1 is down, OPNsense will set WAN2 as default gateway, not using any gateway group. GW priority is already set correct for this.
Does this work?

[Cipher]

Looks everything fine so far... Now let's try setting up multi WAN without policy based routing...
Active the force gateway option and set WAN2 gateway to upstream. This should cause routing table to be used. If WAN1 is down, OPNsense will set WAN2 as default gateway, not using any gateway group. GW priority is already set correct for this.
Does this work?

I lost you in this part.
Wan gateway is the up stream right now.
Do you mean wan2 gateway configured it as upstream gateway too ? Or remove the wan gateway as upstream gateway and replace it with wan 2?

[tiermutter]

Configure both as upstream. This causes OPNsense to use both for upstream according to priority. It will always use the GW online with higher priority, though there is no need for GW groups, but you can leave GW groups and firewall rules as they are.