Management interface via loopback address with policy based forwarding

[altmannj]

I'm attempting to setup a loopback address to use for management purposes.  I am using two IPSec VPN tunnels with OpnSense and would need to monitor the loopback address via the primary IPSec tunnel.  Should the primary tunnel fail, I would still need to ping via the secondary tunnel.

It seems to me that traffic originating from the router itself via a loopback only uses the routing table and will show egress traffic for the gateway specified.  I attempted to use a dynamic gateway in which I pointed the route to that dynamic gateway (the dynamic gateway actually being the loopback interface).  This then forces traffic into the loopback interface and can then use policy based forwarding to route over the VPN tunnels. 

This appears to work only with ICMP.  If i attempt to go to HTTPS using the management interfaces (loopback) IP, the firewall logs show the traffic coming from the management interface but being denied by the default deny policy, despite allowing all traffic on the loopback management interface.  It's almost as though the firewall can't maintain a session state when traffic originates over the VPN to the loopback.

[altmannj]

I've now tried to use the IPSec tunnels as "upstream gateways", one with pri 254, the other with pri 255 for weighting.  I removed the WAN gateway as an upstream gateway and set static routes to the IPSec peers.  It still seems as though OPNsense doesn't work like other platforms in which when a gateway monitor goes down, it removes the route and attempts to select a new gateway based on its availability and weight.

Am I missing something?  Does OPNsense support static route IP SLA's?  Would you have to resort to doing this with scripts to monitor ifup/ifdown status and perform manual route injection or am I just missing something?

I'm going to attempt to use FRR with OSPF next to see if I can use OSPF multipath.