The OPNSense device initiates a routing cycle repeatedly
The OPNSense device initiates a routing cycle repeatedly
I have a configuration with a TP-Link router as my primary gateway and an OPNsense device in my lab. I'm still getting familiar with OPNsense and prefer to avoid disrupting the whole setup. In the TP-Link router, a static route points to the OPNsense server, which functions smoothly. The problem arises because OPNsense generates routes that create a loop. For example, a device on a VLAN behind the OPNsense router keeps triggering a route for a specific IP address, causing traffic to circle instead of flowing through the correct VLAN interface. Can I prevent OPNsense from establishing this particular route?
We should clarify your environment here. It appears you’re managing everything remotely in your home lab, right? Is Opnsense also virtualized? Which hypervisor are you using? I usually run PFSENSE virtually on my lab but use a dual-port Intel NIC through Proxmox to simulate real networking. The WAN connects to PFSENSE via a static IP from your main router, while the LAN exits through another port. After connecting the LAN cable to a managed switch, everything functions normally. The Proxmox host is plugged into that switch, and because Proxmox supports VLANs, you can assign VM tags accordingly. This setup works entirely in a virtual space, though I find the cost of a 30-dollar NIC to be excessive compared to the inconvenience it causes. If you provide an actual physical PCIe NIC to Opnsense, you could route the static WAN IP directly into the WAN port and connect the LAN cable straight to the host’s Ethernet port or hypervisor. In that case, the hypervisor would run entirely under Opnsense at the physical layer. Opnsense must be operational for your host to function, but you can still connect a PC or laptop directly to the host and manage it manually if needed. I manage my whole network this way. PFSENSE serves as my edge router. If PFSENSE fails, the entire network collapses, including the Proxmox host. It’s not the best setup, but it works if you’re comfortable with it. Starting small in your lab is a solid approach.
I see, this seems to be a more specific networking challenge. I understand that switching everything online is complicating things, but I'm also curious about how VLANs function for security cameras or similar setups down the line. From a hardware standpoint, I'm running an Intel i350-T4 with all ports routed through a VM on Unraid using OPNSense virtualization. Only one port is active since it doesn't affect my VLAN setup, which connects the rest of my gear to the managed switch. When certain devices attempt DNS access via the Pi-Hole, they go through the router in a chain: OPNSense, TPLink, then OPNSense again. This loop continues until the router automatically creates a new route directing traffic from 10.20.110.2/32 through the WAN port to the TPLink router instead of using the standard VLAN path. Pinging the DNS container ends up with a "TTL expired" error, which clears the route and resolves the issue. I’m still puzzled about why this route is being generated repeatedly.
Yeah, same. I manage multiple VLANs and run VMs and containers in different ones inside Proxmox. From a setup point of view, it’s mostly just physical networking. I’m not mixing WAN and LAN traffic over the same cables or tweaking hypervisor routing like that. My mind keeps getting confused. If you connect a physical NIC to OPNSENSE, it should be straightforward… except when devices on the WAN side need to reach the LAN side. My brain also hates router logic. I’ve never done this before, so I’m unsure what steps to take. Do you need to open ports for WAN to LAN? Are LAN devices being NAT’d? I think so. Probably.
I'm focusing on the part I'm attempting and still struggling with. Using baremetal doesn't seem to solve the problem, as the VLAN interface in my diagram would just be another physical port instead of being routed through VLANs. Traffic flows and stays isolated until OPNSense updates its routing table. The issue lies in how OPNSense decides the best path for packets going from OPNSense WAN to OPNSense VLAN. It thinks the optimal route is to send traffic back out via the main router, which routes it back to OPNSense WAN, rather than through the VLAN interface directly. The routing table has an entry for [10.20.110.0/24 -> VLAN interface], but a new entry appears automatically for [10.20.110.2/32 -> WAN Interface, Gateway 192.168.1.1], creating a loop. I don't understand why OPNSense chooses that specific route when it has direct access to the interface already used by the network.