[SOLVED] Intermittent traffic drops

Started by issuing_scone, December 21, 2025, 06:19:50 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 21, 2025, 06:19:50 PM Last Edit: December 22, 2025, 10:54:09 PM by issuing_scone
Hello,

My network currently has the following requirements:

* All specified devices must always be connected to the internal network.
* All specified devices must always exit the network via the company-provided VPN service.
* All specified devices must kill-switch, so if the company-provided VPN drops, all devices must too.

In isolation, without all three being active at once, the current setup in OPNsense works.

I have followed the kill switch guide that is available here: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html, and set up the local tag NO_WAN_EGRESS for LAN and with a match for the Floating Rule.

However, when I create that blocking rule, the WireGuard always-on devices drop access to the external network and solely function internally.

I can see in Live View that, indeed, it is blocking traffic, but despite several configurations including a literal any / any, the traffic is still blocked by the default deny rule state violation rule. Further, it is intermittent, so that devices will occasionally connect to external websites, or a ping will execute 5 times correctly, before then dropping and dying and being blocked again.

I cannot for the life of me figure out what causes the intermittent drop where it will work 40% of the time and not the rest. I also cannot figure out why the NO_WAN_EGRESS rules interfere with the WireGuard clients.

I've attached all the images I had space to attach because 256KB is the limit. Do note that all firewall rules for WG have the NO_WAN_EGRESS tag. Further, the WAN interface has no rules.

WireGuard_Devices contains two test devices that have WireGuard installed and are connected to the firewall. Their IP addresses are 10.5.0.1 and 10.4.0.1.
December 22, 2025, 10:44:51 PM #1 Last Edit: December 22, 2025, 10:55:01 PM by issuing_scone
Solution was simple and an oversight on my part.

I had created a NAT outbound rule for LAN devices, but I had forgotten to make one for WireGuard devices. The reason the result was intermittent was because the firewall was allowing traffic until sessions died, at which point it would begin blocking attempts to renew sessions that were expired.

While Live View showed traffic being blocked by the default deny rule on the VPN interface, that stopped when the NAT outbound rule was made, meaning that kill switch etc. were not interfering, but just appearing as if part of the cause while they weren't actually. It also explains why the any any allow rule didn't do anything, - it wasn't a firewall rule causing the block.

Sleeping on an issue does wonders. :-)
Print
Go Up Pages1
User actions