Different gateway for LAN clients

[gigo90]

Hello,
i'm struggling to find information about this topic.

I would like two different clients on my LAN to use two different gateways.

My configuration, at the moment use 2 WAN in failover configuration (WAN1 fiber and WAN 2 lte). I also have a VPN Client that connect my OPNsense box to a VPN provider (in order to be geolocalized in a specific country).

I set up a gateway group which contain: WAN1+WAN2+VPN and used this gateway with DHCP server.
With this configuration when the VPN is active all the clients within the LAN will use the VPN as gateway, if the VPN is down, i still have the failover option working.

Now the point is that only specific clients, should not use the VPN as gateway but the failover should continue to work. All the clients must be on the same LAN cause they need to "see" each other.

My idea was to have two different gateway group: GW1=WAN1+WAN2+VPN and GW2=WAN1+WAN2, but i don't know how to assign the GW2 only to clients don't the VPN.

Hope the explenation is cleat

Many thanks 

[dseven]

You should be able to do that with firewall rules on your LAN. Create rules that match your clients, and select the gateway group for each accordingly, remembering that the first matching rule (from the top down) will be selected.

[dseven]

P.S. you might need a rule at the top for DNS with destination "This Firewall" and gateway set to "default", otherwise DNS requests from source matching your new rules could get sent to your VPN gateway and fail.

[gigo90]

Hi, many thanks for your help.

I tired this configuration, but not shure if i understood well.

                Protocol   Source                 Port   Destination   Port       Gateway
        IPv4 *   This Firewall           *         *            *       *                                               
        IPv4 *   192.168.1.129/24   *         *            *       WAN_GW_GROUP_NOVPN               
        IPv4 *   LAN net                   *         *            *       WAN_GW_GROUP          

Unfortunatelly, seams it's not working as expected. When this first 2 rules are active all the traffic (included the peer .129)  uses the "NOVPN". If disabled all traffic is routed through VPN.

Any idea? Thanks 

[doktornotor]

Maybe you want 192.168.1.129/32 and not the entire /24 subnet?

[dseven]

Yeah, that should be /32. I'm a bit surprised that it even allows that error.

Also the DNS rule should have "This Firewall" as the *destination*, not the source, protocol "TCP/UDP" and port 53 ("DNS").

[gigo90]

Thanks to both of you!

I'll try and let you know.


EDIT: configuration tested, seems all ok. Thanks again

[gigo90]

May i ask you guys if there is a way to set specific services (from a client) to use a specific WAN?
When the OpenVPN client on OPNsense is enabled, my video on-demand service (amaz....) is not "happy" cause i'm not geo-localizated in the country of subscription.

I can't use the IP based solution (as per my previuos request), cause the TV box should use the VPN to access to content abroad (and use the VPN tunnel as gateway) but only for the video service, should use my in-country WAN.

Thanks 

[REB00T]

You can try making a custom dnsmasq config file to put resolution results for certain domains in a specific alias and make rules using that. It is a bit painful to find all the required domains but it can work. Also when it comes to cdn domains (Akamai e.t.c) try to be as specific as possible, and even then it might not work perfectly as these are probably shared between services.