How to make VPN tunnel stay on 1 gateway in a failover group
-
@viragomann ok, i understand now.
THX!One thing i forgot to mention:
If the desired gateway is not the default gateway (but the gateway is up) i do not want the vpn tunnels to be up.
It there a way to solve that aswell? -
@Proton
As far as I know, this is satisfied with a static route (in contrast to a policy routing rule). -
@viragomann I tried this now, but it did not work as expected.
vpn is still going through the wrong gateway.
I reset all states aswell.Are you sure it is the endpoint/public IP i need to create a a static route for and not the virtual ones that my vpn interfaces are using? (Need to remove the interfaces first then)
-
@Proton
No. You said you have set up tunnels to Mulvad and they are termitnated on pfSense itself. As you're doing load balancing, you might have at least two vpn tunnels, both going out to different vpn server IPs.
So if you want to go the vpn only over your say WAN1_GW you have to add static routes for both IPs and point them the WAN1_GW.Of course you have to reconnect the vpn after adding the static routes.
Connections from pfSense itself obey strictly static routes, but connections from inside your network are either routed out by the default gateway settings or the gateway setting in a policy routing rule (both may be gateway groups).
-
@viragomann
This is still not working as expected:
As soon as my "Wan1_GW" goes down the tunnel is moved to my new default GW.
My hope was that the tunnel would go down.And when "WAN1_GW" is online again i would like the tunnel to be online aswell going out WAN1GW
So i want this vpn tunnel to only go out WAN1_GW.
I use policy based routing so when the vpn interface is offline, traffic will go out default gateway without vpn.Is there a way to make this happen?
-
@Proton
I see. That's new to me.Assuming you have a multi-WAN setup, another option you can try is simply block the traffic on the undesired interfaces with a floating Quick rule for direction out.
So the connection can only go out on the other WAN interface. -
@viragomann Close
We are getting closer to an solution :)
One issue remains: With blocking rules for VPN Endpoint on all GW except WAN1_GW, the tunnels was forced over to WAN1_GW. That is fine.
But what i really want is to not use VPN when WAN1_GW is not the default gateway.
I only need VPN when WAN1_GW is the default gateway to fix some VoWifi issues.
This is a starlink satellite gateway and my cellular phones will not work over VoiceOverWifi if starlink routes the traffic outside of my country (starlink node is one outside my country)Now with this setting i will always have a vpn and it will always go out starlink gateway and all lans will use this vpn even thouhg my default gateway is somehing else with a lower tire in gateway group (failover)
Any more suggestion?
-
@Proton
So use policy routing to route only certain devices out of the VPN. -
@viragomann
I can route cellular phones out VPN and the rest outside VPN, but that is not excactly what i want.
Starlink is a meetered / expensive wan connection so i would use this at a bare minimum. -
Seems that you have very uncommon and complex requirements.
@Proton said in How to make VPN tunnel stay on 1 gateway in a failover group:
But what i really want is to not use VPN when WAN1_GW is not the default gateway.
I only need VPN when WAN1_GW is the default gateway to fix some VoWifi issues.
So if the WAN1_GW down trigger doesn't make you happy, what exactly triggers the default gateway? And what could be the status of WAN1_GW if it's not the default and not down?
How did you configure the gateway group and what are the other gateways? -
@viragomann
WAN1_GW never goes down. I have a failover gateway group with 3 gateways where WAN1_GW is tier 2. I have also tier 1 and 3.
So when it fails over to tier 2 i do not want the traffic to still go out WAN1_GW at all, VPN or other. -
@Proton said in How to make VPN tunnel stay on 1 gateway in a failover group:
I have a failover gateway group with 3 gateways where WAN1_GW is tier 2. I have also tier 1 and 3.
So when it fails over to tier 2 i do not want the traffic to still go out WAN1_GW at all, VPN or other.WAN1_GW = Tier 2
If it fails over to it, it shouldn't be used.
I think, that's to high for my brain. -
@viragomann Sorry a typo there.
It should be:
I have a failover gateway group with 3 gateways where WAN1_GW is tier 2. I have also tier 1 and 3.
So when it fails over to tier 1 or 3 i do not want the traffic to still go out WAN1_GW at all, VPN or other. -
@Proton
Is WAN1 used for the VPN only or should also other upstream traffic go out on it in case that the Tier 1 is offline?If it is used for VPN only you could simply replace it in the gateway group by the VPN GW.
-
@viragomann said in How to make VPN tunnel stay on 1 gateway in a failover group:
@Proton
Is WAN1 used for the VPN only or should also other upstream traffic go out on it in case that the Tier 1 is offline?If it is used for VPN only you could simply replace it in the gateway group by the VPN GW.
Genious thought :)
Yes i think so.
When tier 1 goes down all traffic will go to tier 2 . All lan traffic must go out vpn when tier 2 is the default gateway
When tier 2 fails, all traffic will go out on tier 3.
And when tier 2 comes back we go back to VPN only ijn tier 2. And when tier 1 comes back all go out tier 1. No VPN on tier 1&3So simply said: all traffic must follow the default gateway and when on tier 2 all traffic must exit a vpn tunnel out on tier 2.
So to implement this i can replace my tier 2 with the vpn gateway. And i need to make sure the vpn gateway always exits through my wan1_gw interface (earlier tier 2).
Can i do this with the already FW block rules i have for the vpn endpoints on the tier 1 & 3 gateways? Do i need a static route in addition?And i guess i must remove my policy based routing in my FW rules and rely only on default gateways, correct?
THX!
-
@Proton said in How to make VPN tunnel stay on 1 gateway in a failover group:
And i need to make sure the vpn gateway always exits through my wan1_gw interface (earlier tier 2).
Can i do this with the already FW block rules i have for the vpn endpoints on the tier 1 & 3 gateways? Do i need a static route in addition?Yes, since the rule blocks the VPN connection over the other WANs, it can only be established over WAN1.
In case of OpenVPN you can also bind the connection to the desired interface.
I don't know if this is also possible in WG.
However, the VPN will be established as soon as WAN1_GW is online. If you don't want this for whatever reason, maybe there is a possibility to let it only connect if the other WANs are down. I think, this can be achieved by binding the OpenVPN to the gateway group. You will need to recreate the gateway group as you hat it before for this, with WAN1_GW as tier 2 and the other WANs as 1 and 3.
But use this gateway group for the VPN client only. For the default routing use the other one with the VPN GW.The static route would not be necessary then, as it obviously follows the default route anyway.
And i guess i must remove my policy based routing in my FW rules and rely only on default gateways, correct?
Depends on your needs. Without the policy routing, the devices can also go out on the other interface in case they are the default gateway.
-
@viragomann
What about this tip:
https://github.com/Ysurac/openmptcprouter/issues/2384 -
@Proton And anothe rtip usinf floating rules:
https://forum.opnsense.org/index.php?topic=26315.0 -
@Proton
The first one is a completely different system, and the mentioned VXLAN is not supported on pfSense.The latter solution is just an outbound floating rule for the remote VPN endpoint with policy routing. You can also add the gateway in your rule. But it won't detain the VPN to connect as soon as the gateway is online.
So the VPN will be connected if the tier 1 is used. -
