2 OPNsenses same WAN network Broadcast Flood

[chemlud]

...you had me at "MDNS"....

[aeschma]

You have a Multi WAN Setup?

[aeschma]

Is there the possibility that a Firewal rule relay DHCP or DNS traffic to the WAN interface?

EDIT:

Hope this was the solution for me. Testing at the moment ....

EDIT 2:
Sadly not the solution . Have a floating rule which allows dhcp,dns,ntp .... to "this firewall" for all local networks. Deactivated the rule, but broadcast flood coming in ...

[HenrikHenkel]

@aeschma

Yes, I actually do have 2 WAN connections for failover. But those also have their own interfaces.

No firewall rules that should relay this traffic.
The other WAN does not have this problem.

[aeschma]

Same Setup here ....

But I can't use my second WAN for HA. Second WAN is DHCP only. So second WAN is configured on both OPNsenses but only plugged into one Sense.... on the other is the interface offline.

Your ISP is also Vodafone? If so, do you think it could be an Vodafone issue?

[HenrikHenkel]

Yes, my second ISP is Vodafone.
The main WAN is Telekom, no problems there.

Actually it came to my mind, there is a firewall rule that could be the culprit... Because I'm using load-balancing, there's a firewall rule that splits traffic to both WAN interfaces.
I will be on-site on Saturday and will check whether this causes the problem. (Although, if it is... Then it should be on both WAN interfaces, right?)

Do you use load-balancing or just failover?

[aeschma]

Yes, I use Load Balancing too.

That's why I asked, but if it was due to Load Balancing, both connections would have to be affected.

I remember a forum post where someone successfully runs HA with Vodafone Cable. So there must exist an solution ....

[HenrikHenkel]

How did you configure multi WAN? Firewall rule with redirect gateway?

[aeschma]

Yes. I have an RFC1918 Alias, which I use to route the public traffic to a Gateway-Group.

[HenrikHenkel]

So 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, right?

Try to add 224.0.0.0/24, 239.255.0.0/16, 239.192.0.0/14 to the alias.

[aeschma]

Ok, I will try it. I can't try it until the weekend because I won't be back before then. I will write you.

[HenrikHenkel]

I tried it last weekend and it seems like the problem is solved for me.

Kinda feel stupid now, because it should have been obvious from the start to exclude ALL subnets from this firewall rule, that don't belong on a WAN network...

[aeschma]

Good to hear it's working for you. Sadly dosen't work for me

Here is my alias and firewall rule.

[HenrikHenkel]

Hi. Sorry for the late response.

The firewall rule and alias look exactly like mine...

Might sound stupid, but did you synchronize the changes to your second firewall?

[aeschma]

Yes, both Firewalls are synchonized. I even restarted the firewalls afterwards.