LAN Interface with it's own external gateway

[skb1]

Hi all,
I'm running a pilot OPNsense deployment on bare metal and encountered a problem related to LAN access.
Setup:

- LAN interface with a static IP and an upstream gateway (external router)
- WAN1 and WAN2 in different VLANs with static public IPs and gateways
- Web UI is accessed via the LAN interface
- LAN needs to route traffic through its own upstream router, not through WAN

Issue:
As soon as I assign a default gateway (e.g., WAN1) under System → Routing → Gateways, access to the Web UI over LAN breaks.

Even with a firewall rule like:
    Source: LAN net
    Destination: This firewall
    Gateway: default or specific
    Advanced: Disable reply-to → enabled

...the connection is lost.

Tried:
    Removing all default gateways — Web UI becomes reachable again
    Adding a static route for the LAN subnet via the upstream LAN gateway
    Testing different firewall rule orders and combinations
    pfctl -d does not restore access

Goal:
I want to maintain stable access to the Web UI via LAN (which routes through its own upstream router) while still having a default gateway active on WAN for general internet access.

Is there a correct or recommended way to achieve this in OPNsense?

Thanks in advance!

[viragomann]

As soon as I assign a default gateway (e.g., WAN1) under System → Routing → Gateways, access to the Web UI over LAN breaks.

You access the Web UI from a LAN device or from outside?

Access from the LAN subnet should be possible at all. If that's not working check the network settings on the involved devices.

[Strator]

You need a default gateway. It needs to be for your WAN interface. WAN is the OPNsense upstream interface, not LAN.

You need a gateway for your LAN interface. Its IP address needs to be the SVI address of the corresponding subnet. Do not mark it as an upstream interface. It is not an upstream interface as far as OPNsense is concerned. I also mark it as down and disable its monitoring to avoid any surprises. OPNsense is this kind of product that wants to be everything on your network and some of its default setting or wording of it are difficult to digest if you want to use it differently.

You need those static routes to your LAN subnets. All of them! Actually to interface my routing switch with OPNsense, I use a subnet that is in a different IP range that my LAN network. This makes it possible to use just one summary static route with /16 instead of multiple /24.

Of course, you need to have adequate firewall rules. Start with allow ANY to ANY and, once you make it work, set them up according to your requirements.

[skb1]

As soon as I assign a default gateway (e.g., WAN1) under System → Routing → Gateways, access to the Web UI over LAN breaks.

You access the Web UI from a LAN device or from outside?

Access from the LAN subnet should be possible at all. If that's not working check the network settings on the involved devices.

Thank you!

[skb1]

You need a default gateway. It needs to be for your WAN interface. WAN is the OPNsense upstream interface, not LAN.

You need a gateway for your LAN interface. Its IP address needs to be the SVI address of the corresponding subnet. Do not mark it as an upstream interface. It is not an upstream interface as far as OPNsense is concerned. I also mark it as down and disable its monitoring to avoid any surprises. OPNsense is this kind of product that wants to be everything on your network and some of its default setting or wording of it are difficult to digest if you want to use it differently.

You need those static routes to your LAN subnets. All of them! Actually to interface my routing switch with OPNsense, I use a subnet that is in a different IP range that my LAN network. This makes it possible to use just one summary static route with /16 instead of multiple /24.

Of course, you need to have adequate firewall rules. Start with allow ANY to ANY and, once you make it work, set them up according to your requirements.

Thank you!! We've done just like that. But i wouldn't say that this is okay and that this is comfort way to work with OPNsense)

[Patrick M. Hausen]

But i wouldn't say that this is okay and that this is comfort way to work with OPNsense

What do you mean? This is exactly how it is supposed to work. That's networking basics, really.

Your single default gateway always points to "the Internet". For any internal networks that might be behind an internal gateway, you need a static route. Every router works that way.

[Seimus]

By default every router, FW; any device capable routing consists only from:
A. Directly attached networks
B. Default route

A. Directly attached networks
these are your RFC1918 networks mostly, e.g networks you configure as Interfaces on your Device e.g LAN 192.168.1.1/24 (subnet 192.168.1.0/24 ). This will create a Directly attached route pointing to the Interface LAN

B. Default route
is the 0.0.0.0/0 which sends all the traffic that didn't match any more specific route to the configured GW

By default to route traffic From LAN to WAN, and WAN to LAN these two routes are all you need. If there is a traffic for destination example 10.10.10.10/24, but the device doesn't have any route for it, it will be catched by B. Default route cause there is no more specific route.


As mentioned by the others "these are networking basics".

Regards,
S.