i have been trying to setup a working home network in opnsense with multiple vlans and wan connections,
my current setup :
i have connected my isp router/modem unit to opnsense in bridge mode
i have a private ipv4 (cgnat) and global ipv6 address, i have dialed multiple pppoe sessions using same credentials to req multiple /64 ipv6 prefixes as isp is only allowing single /64 prefix per pppoe session
vlan 1 → 192.x.x.x/24 subnet - for my home devices (laptops,smartphones etc)
vlan 2 → 10.x.0.0/24 → for homelab (jellyfin,immich etc)
vlan 3 → 10.x.0.0/24 → for public hosted lxcs/vms (either via dynamic ipv6 or cloudflare tunnels)
for each of my vlan i have dialed a new pppoe session and reqested a /64 prefix via dhcp6
so currently i have 4 pppoe sessions running (1 in my isp router and 3 in my opnsense vm)
i was able to setup unique ipv6 for each vlan but ipv4 for all vlans works through only one active WAN
it seems that opnsense cant route traffic on multiwan setup if all the all the wan connections have same gateway ip ( i tried enabling monitor ip to force different routing table entries but it didnt work)
i am also not sure if its really the same gateway problem but seeing how both opnsense and isp router/modem unit can dial thier own pppoe session and work normally i dont think my isp is responsible for this.
so currently each of my vlan has thier own ipv6 /64 prefix and are working separately,but for ipv4 all the traffic goes through only one active wan pppoe connection? even tho each wan interface has a successful pppoe session
doesnt seem like a big problem as everything works as long as i allow ipv4 traffic from all the vlans to go through active wan, but then all my traffic (home devices, homelab, public services) will go through one single wan interface, so my 200mbps bandwidth is shared between all the vlans. I dont know if this is normal but even tho i am using same pppoe credentials i get my max bandwidth on both isp router and opnsense so basically i get 400mbps aggregate speed on my 200mbps plan
thats why i am looking for way to force vlan traffic to its own connected wan interface, to maybe get aggregate 800mbps speed and isolate each vlans traffic from other (does this make it more secure?)
has anyone faced this?
would it be better to create another instance or openwrt/opnsense to router ipv4 traffic through them for different vlans?
would it make isp notice something and block me from dailing multiple sessions if i do use this to get 800mpbs speed?
AI generated tldr TL;DR
Goal: Running OPNsense on Proxmox. Dialed 4 concurrent PPPoE sessions to get unique IPv6 prefixes.
The Issue: IPv4 routing fails because isp assigns the same Gateway IP to all sessions, causing OPNsense to force all traffic through a single WAN.
The Opportunity: My 200Mbps cap appears to be per-session. I want to route VLANs to specific WANs to reach 800Mbps aggregate speed.
Questions:
How do I fix OPNsense routing when all Gateways are identical?
Should I switch to separate OpenWRT VMs for each VLAN?
Is there a ban risk for pulling 4x my rated speed?
Have you considered using Sophos Home Edition for firewall protection and Proxmox Virtual LAN for management instead of OPNsense to identify any issues with your FTTH ISP?
Interesting, didn’t realise this was allowed. When I tried it a while ago, the second session never got established, timeout. I tried it on a Mikrotik device.
Do you know if this multiple session bug/feature is available in all regions?
never tried sophos and it would be too much work to shift from opnsense , i am already using proxmox virtual interfaces, i have 2 physical lan ports on my server and i have virtualised 4 interfaces for opnsense vm on these ports
idk if its available everywhere, but when i was searching forums i didnt find anyone who didnt had that , they had ipv6 disabled entirely but multiple pppoe was working but i am not sure
what problem were u facing? did it not start another pppoe sesssion at all or was it creaating another session but not giving out /64 prefix?
Excellent! In that case you can play around using the virtual interfaces to identify where the fail occurs. Like, which Pppoe session gets dropped when in what order, and weather MAC based blacklisting happens at all?
yeah the only thing that i found is similar to that was monitor ip in opnsense which create different routing entries, this solution works on pfsense according to the forum and also on some opnsense version but it didnt work for me
theres no mac based blacklisting for me, and all the pppoe sessions seeems to be online from the opnsense webui, but opnsense routes the traffic through only one of them, other 2 are always idle
In that case, you need to change up the design with the sole purpose of 4Xing your connection speed, since the ISP Modem allows for this right now in bridge mode. Using VLANs and pppoe sessions are smart, but the connection speed is regulated at the point of termination at the ISP side and they may limit concurrent active sessions at full throughput (~800 mbps).
yeah i shoulnt be greedy lol,ig i will just leave it as it is for now,i can always change the design if it feels like the speed is limiting,i just hope i dont lose this bug/feature
I would suggest to run a single additional VM and check if it is giving the additional 200M speed you want. If it works, then you have an idea on how to work with. If it doesnt work, just use as is without changes, assuming you want the additional IP prefixes.
If it works, I would recommend to run an additional openwrt (small) which will act as a different gateway IP - solving your issue.
Since opnsense is forked from pfsense, this issue of multiwan with same gateway is there in pfsense earlier. For most, its not an issue, but I remember this did not work for us years ago, when we wanted more bandwidth than what we could get from one line - so 2 lines, same ISP, but had same issue. scrapped the plan. This was from 2 different lines with different POPs
Coming to whether what you are doing is - well - problematic - I would say its not much. This comes under part of AAA - and its the ISPs fault for not doing something so basic. If the ISP is not accounting for multiple logins - well - they should learn sooner than later.
Skip Sophos - opnsense/pfsense/openwrt are the best here.
Yeah that’s what I was thinking,rn i feel like i have enough bandwidth (also dont want to get the attention of isp) but I will try checking if it works by creating another open wrt instance if i feel the need in the future.
Regardless of the strategies you use to deal with your ISP, it’s advisable to either redirect all outbound DNS traffic to your own resolver or block ports 53 and 853 after setting up your self-hosted DNS server. Be sure to disable any DNS relay or DNS proxy settings in your configuration. Happy tinkering, brother!
