Multi-wan question

Started by Jyling, July 07, 2025, 05:15:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 07, 2025, 05:15:11 PM
Hello, members,

Is it possible, and how can it be done, if some outbound connections need to use a certain gateway?
My organization has a router that's been using a single gateway 1, and I've just added gateway 2:

gateway group
gateway 1: igb0 -> pppoe0 (priority 254) -> provider 1, weight 1, tier 2
gateway 2: igb1 -> dhcp (priority 1) -> provider 2, weight 5, tier 1

Now, all outbound connections route through gateway 2 (unless I bring it down), but the goal is for some to use the old gateway 1.
They will be the outgoing SMTP connections from our mail server and SIP/RTP from our phones on the LAN. All of the browsing, FTP, Teams, etc. should use GW2.

How can/should this be set up?

Thank you for your help!
July 07, 2025, 05:23:12 PM #1
You could set up a firewall rule that matches before your gateway group rule, match https traffic as destination, and set the explicit gateway you want for it.
Hardware:
DEC740
July 07, 2025, 06:05:09 PM #2 Last Edit: July 07, 2025, 06:33:58 PM by Jyling
Quote from: Monviech (Cedrik) on July 07, 2025, 05:23:12 PMYou could set up a firewall rule that matches before your gateway group rule, match https traffic as destination, and set the explicit gateway you want for it.

I apologize but I do not follow your instructions.
Particularly, I do not understand what HTTPS has to do with my question or what the destination is.

EDIT: Could this be achieved by outbound NAT? It seems somewhat relevant, to my uneducated guess, but I never used it so don't know.
July 07, 2025, 06:47:51 PM #3
Quote from: Jyling on July 07, 2025, 06:05:09 PMCould this be achieved by outbound NAT?
No, outbound NAT does not route traffic.

HTTPS might haven been a mistake. Create an alias of type ports and add the SMTP and SIP ports to it.
Then add a firewall rule to the LAN, at destination select any and at port specify the alias you've created before, go down to gateway and select gateway1.
Save it and move this rule up to the top.

Instead of the destination ports you can also specify certain source IPs if this is more eligible for your use case.
July 07, 2025, 07:18:22 PM #4
I forgot to put e.g., before HTTPS, it was meant as a general pointer, sorry. :)

Best check out our docs too to understand Policy Based Routing:

https://docs.opnsense.org/manual/how-tos/multiwan.html
Hardware:
DEC740
July 07, 2025, 07:22:25 PM #5
Quote from: viragomann on July 07, 2025, 06:47:51 PMThen add a firewall rule to the LAN, at destination select any and at port specify the alias you've created before, go down to gateway and select gateway1.
Save it and move this rule up to the top.

Instead of the destination ports you can also specify certain source IPs if this is more eligible for your use case.

This did it:
Action pass
Interface LAN
Direction in
Protocol TCP
Source single host/net, the IP of the SMTP server
Destination port range the port type alias
Gateway GW1

Perfect, thank you so much!
July 07, 2025, 07:28:47 PM #6
Thinking about it, what works so well for SMTP won't work for VOIP because port type aliases do not accept port ranges. SIP port range that we use is 5060-5090, and RTP is 10000-20000. Are there any tricks to support that?
July 07, 2025, 08:08:11 PM #7
Use "5060:5090" for a range.

It's documented. 😉

https://docs.opnsense.org/manual/aliases.html
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 07, 2025, 08:37:38 PM #8
Quote from: Patrick M. Hausen on July 07, 2025, 08:08:11 PMUse "5060:5090" for a range.

It's documented. 😉

https://docs.opnsense.org/manual/aliases.html

Ah, I see! Instead of the dash, port range uses colon. That explains why I saw 'invalid port'. It's not a very common range delimiter but works anyway.

Thanks for the tip!
Print
Go Up Pages1
User actions