OPNsense 16.x/17.x default gateway

[epicavic]

Hello,

openvpn setup:

• latest openvpn version (17.7.5) (older versions are affecred also)
• 2 wan links with static ip's (static ip configuration on interfaces)
• wan failover group (tier1-tier2/member down) (all LAN traffic router via wan_failover GW)
• WAN_1_GW - default gw (0.0.0.0/0 via WAN_1_GW)

issue description:
"System-Gateways-All-WAN_2_GW-Edit-Default gateway-check-Save"
https://example.com/system_gateways_edit.php?id=1

• when i'm connected to router from WAN and trying to change default gateway, i'm loosing all the connectivity to opnsense (icmp, vpn, port forwarding)
• wan_failover group works fine though. people from LAN still having internet connection
  it looks like opnsense disable old default route and does not enable new one

P.S
as it turned out it's required to press Apply button to apply settings
but it's impossible to do when you're making changes from WAN

proposal:
i guess you need to do save and apply in one step (in GW edit dialog)

[mimugmail]

Do you have Gateway switching enabled?

[epicavic]

Opnsense 17.7.5
Firewall - Settings - Advanced - "Gateway Switching" - not checked
Opnsense 16.7.14
System - Settings - General - "Gateway Switching" - checked

i have tried with with disabled on 17.x and enabled on 16.x
behavior seems to bee the same
as soon as you mark WAN_2_GW as default GW and press "Save" button - you're loosing connection to router from WAN

[mimugmail]

Can you try with Gateway Switching enabled on 17.7?
For me this works fine ... WAN1 static, WAN2 dhcp. Both static should be more stable than mine ...

[fichtner]

This is a bit unclear... most of all why is switching the default gateway necessary when you are using a gateway group?

Please set Firewall: Settings: Advanced: "Use sticky connections"

when i'm connected to router from WAN and trying to change default gateway, i'm loosing all the connectivity to opnsense

Which WAN? Both WANs or just while connecting via the default one, switching to the non-default one?

[epicavic]

This is a bit unclear... most of all why is switching the default gateway necessary when you are using a gateway group?

• i mistakenly configured default gateway for secondary ISP and wanted to change it to primary ISP
• i do not use gateway groups for openvpn server (not sure if it's possible. i've seen gateway groups setup for LAN but haven't seen anything related to gateway groups and openvpn. i guess in theory openvpn server can also use gateway groups)

Which WAN? Both WANs or just while connecting via the default one, switching to the non-default one?

• connected via non-default WAN, switching it to default
• will try to set 'Use sticky connections' - but i don't know if it will help - because i do not use Load Balancing (just Failover with gateway groups)

[epicavic]

let's imagine scenario:
WAN1 - primary ISP (primary), WAN2 - secondary ISP
WAN1-GW - default GW
WAN1_GW/WAN2_GW - monitoring - enabled (8.8.8.8, 8.8.4.4), gateway switching - enabled, sticky connections - disabled
WAN1_GW and WAN2_GW - configured as Failover Group
LAN - all traffic (except DNS) routed via Failover group
Openvpn - configured on WAN1 and WAN2. no gateway specified (use default * gw)
Openvpn authentication - AD/LDAP based

IF WAN1_GW do not respond for some reason. WAN1 link is UP (has ip's assigned)
what would happen ?

• most probably LAN users would be able to reach internet because they all are routed via Failover Group
• WAN1 openvpn clients will be switched to WAN2 by opevnpn client after default timeout

the questions is - would be openvpn server on WAN2 reach LDAP/AD authentication server ?
as far as i understood opnsense does default gateway switching only in the case if WAN1 interface is down.

[mimugmail]

Please use sticky connections. Nonetheless you have to change OpenVPN to TCP mode, then you can achieve multi wan on local machine.

[epicavic]

• will try with sticky connections
• no need to use TCP mode. i have configured 2 openvpn servers in UDP mode (for every WAN interface)

[mimugmail]

Ah, two servers every listening on it's own WAN, ok this should also work. 2017-10-13 14:37 GMT+02:00 Viktor Buchkivsky <notifications@github.com>:

…

- will try with sticky connections - no need to use TCP mode. i have configured 2 openvpn servers in UDP mode — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1874 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ATfeoeoo_ogfWoVp1Hf_N0VQKxDlg65pks5sr1l2gaJpZM4P1NgZ> .

[mimugmail]

@epicavic Any news?

[epicavic]

looks like the "sticky connections" did the trick (opnsense 16.7.7)

• "sticky connections" - enabled
• "gateway switching" - enabled
• WAN1_GW - default
  steps:
• logged in from internet on WAN2 interface
• navigated to System-Gateways-All-WAN2_GW - and set it as default GW - pressed Save
• lost connection with WAN2 interface for about 10 sec (i've pinged both WAN1 and WAN2 interfaces continuously )
• pressed 'Apply'
• checked routes - default route as changed
• reverted back default GW to WAN1_GW

[fichtner]

thanks for the feedback!

@AdSchellevis should we enable sticky connections by default in 18.1 config.xml ?

[AdSchellevis]

@fichtner I can't think of a real downside of changing the default, so it's fine by me to change this

[fichtner]

perfect, thanks, consider it done