Question for static routes failover
-
Dear community,
I have a routing question regarding my actual network infrastructure.
Initially, we connected our remote Office to our HQ with an IPSec VTI connection through our WAN Internet Providers. All networks were correctly communicating together based on static routes I have defined on both sides.
We recently configured a CWDM 1Gbps link that allows us to make a direct connection between our HQ and Remote Office without going through an internet IPSec tunnel. I changed then my static routes by using gateways that are located in an "Interco" L2 VLAN that is propagated between our two sites. This works like a charm.
Now I would like to have a kind of failover possibility: if the CWDM link goes down, I would like that pfSense boxes to switch automatically to the IPSec link (that is still configured and available). I can do it manually by replacing the CWDM gateways with the IPSec gateways.
I thought then I would be able to do that by creating a group of gateways, by defining the CWDM gateway in Tier1 and the IPSec gateway in Tier2, but unfortunately, a group of gateways is not usable in static routes.
Anybody knows how I could simply achieve that with my current configuration?
Below, a simplified schema of our infrastructure and its interconnection :
Many thanks in advance for your ideas and input.
Best regards
Vincent -
@vinzcenzo
You can go with policy routing rules. In the rule you can select the gateway group. -
@viragomann thanks for your answer.
I already checked that (read it in another post related to failover), but was not convinced (maybe I'm wrong).
If I correctly understand, using the policy routing group is the only way to achieve that failover?
But it means that for each rule I created for my communication with my HQ I need to manually specify the group of gateways.
It is fine when we have only a couple rules, but by design, I avoid "any-any" rules between my subnets, meaning I have hundred of them to modify, and in terms of maintenance it's a bit painful.
Is it as reliable as using static routes?
Maybe a dumb question, but except that it is not implemented in pfSense, is there a good technical reason to not allow the usage of gateway's group with statics routes? I should not be the only one that would like to prioritize routes in a failover scenario.
But anyway, I will evaluate the least worst way to modify that in my environment.
Thanks again
-
@vinzcenzo said in Question for static routes failover:
If I correctly understand, using the policy routing group is the only way to achieve that failover?
But it means that for each rule I created for my communication with my HQ I need to manually specify the group of gateways.Exactly.
Maybe you can reduce your rule number by using aliases for source and destination IPs and ports.but except that it is not implemented in pfSense, is there a good technical reason to not allow the usage of gateway's group with statics routes?
I can think of any. Possibly static routes are meant for other purposes than this.
Maybe @jimp can answer your question. -
Maybe you can reduce your rule number by using aliases for source and destination IPs and ports.
Already done... (20 subnets, ~200 device aliases, ~50 group of devices, and ~15 group of ports.
) -
@vinzcenzo Maybe look at the FRR routing daemon.
https://www.netgate.com/resources/videos-dynamic-routing-with-frr-on-pfsense
Think you also might need to run routed IPsec ( VTI ) to use FFR.
-
I will have a look to the video, but I don't know if it could by applicable in my case.
My very basic knowledge of OSPF (never use it) is to evaluate cost path of complex network infrastructure and dynamically update complex routing table.
I have only two physical "routeur" with two interface each :
- one interface on CWDM spanned subnet
- one interface on IPSec interface
I will check if I can do something with that , thanks for the input
