Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Should failover for WAN1 and should not failover for WAN2

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 2 Posters 536 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      richardsago
      last edited by

      Good day. Please help me see where I'm doing things wrong so that these two requirements will be met:

      1. WAN users should failover to WANSTARLINK <-this seems to work
      2. WANSTARLINK users should not failover to WAN, so that if WANSTARLINK link goes down then WANSTARLINK users should have no internet access <-I can't make this to work because when WANSTARLINK goes down its users continue to get internet access

      I have previously submitted these related posts:
      https://forum.netgate.com/topic/185136/bandwidth-segregation-needed-and-not-load-balance-or-fail-over
      https://forum.netgate.com/topic/190342/newbie-bogon-not-updating

      From my previous posts above I got that the "Default gateway" should not be set to "None" but I'm not sure which of the other values (Automatic, WANGW, gateway group "failover") to choose so I chose "failover". Please let me know if this is my mistake and let me know which is the correct value to choose:
      062c2635-5408-4413-9056-09fd4a07a0e4-image.png

      f2ae2c3a-f465-4952-91c7-24f25e41a8dc-image.png

      This is the VLAN rule for the WANSTARLINK users that I think should prevent it from failover to WAN because the Gateway was set to WANSTARLINK and not "failover", but WANSTARLINK users still get internet access when WANSTARLINK link is down:
      796e3e3e-b3db-48b2-90d8-e2c751a52879-image.png

      1b41462c-f36d-4cbb-a641-0d552a26a89f-image.png

      78afd1a4-eb86-42fc-9359-f98b1bca90d6-image.png

      9bfc65a8-f402-4061-b456-ec91b615e75e-image.png

      This is the VLAN rule for the WAN users that will failover to WANSTARLINK as per requirement:
      ae0a28a0-ea44-4aa6-88d7-6109fe4573dd-image.png

      57870820-5f6f-412e-b53b-6cf1a900dc36-image.png

      The Floating Rules contain only the entries for pfBlockerNG:
      1c8aee79-6829-4f00-80ea-74e280ccbfd5-image.png

      This is the DNS Server settings:
      b9afa287-f0c6-49c9-a18f-ee1915dfc366-image.png

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @richardsago
        last edited by

        @richardsago
        You need to check System > Advanced > Miscellaneous > Skip rules when gateway is down to avoid that pfSense routes the connection out to the remaining active gateway.

        R 1 Reply Last reply Reply Quote 0
        • R Offline
          richardsago @viragomann
          last edited by

          Thank you @viragomann for the reply. The WANSTARLINK users no longer received internet after applying your suggestion. Is our setting correct that our WAN users will still failover to WANSTARLINK if WAN signal goes down? This is the VLAN rule for the WAN users that should failover to WANSTARLINK:

          05b7a6b0-a44b-4a93-a32c-20f8f366563f-image.png

          V 1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann @richardsago
            last edited by

            @richardsago said in Should failover for WAN1 and should not failover for WAN2:

            Is our setting correct that our WAN users will still failover to WANSTARLINK if WAN signal goes down?

            Depends...

            Your second rule for DNS forces DNS requests to the active gateway. Hence the devices in the subnet will only be able to resolve names if they use a public DNS server. If they try to resolve using a local one (pfSene Unbound) they will fail.

            And it's not clear to me, what the FacultyStaff alias in the 4th rule is.

            Anyway, best practice for policy routing rules to a WAN gateway is use an RFC 1918 alias with "invert match" as destination. This alias includes all private networks. The invert cares that the rule is applied only any other IP. So the rule forces only traffic, which is not destined to a private IP to the gateway.
            You need additional rules to permit local traffic (e.g. DNS) of course.

            See one of my rules:
            01581d24-07fb-4848-b3ea-5353904348e5-grafik.png

            R 1 Reply Last reply Reply Quote 0
            • R Offline
              richardsago @viragomann
              last edited by

              Thank you @viragomann for the reply. I will look into your suggestion. For my setup I copy-pasted the 2nd to 4th line from a youtuber who said the 2nd and 3rd lines will allow users to connect to the internet only if they set pfsense as their DNS Server. And if they manually set a different DNS Server in their browser then they cannot connect to the internet. I think the FacultyStaff alias is the same as VLAN10 subnets and will test during school break. Thank you again

              V 1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann @richardsago
                last edited by viragomann

                @richardsago said in Should failover for WAN1 and should not failover for WAN2:

                For my setup I copy-pasted the 2nd to 4th line from a youtuber

                You should not believe any bullshit on YT.

                @richardsago said in Should failover for WAN1 and should not failover for WAN2:

                For my setup I copy-pasted the 2nd to 4th line from a youtuber who said the 2nd and 3rd lines will allow users to connect to the internet only if they set pfsense as their DNS Server

                As mentioned above, the second rule will force any UDP DNS traffic destined to pfSense interface to the WAN gateway.
                The 3rd rule blocks any DNS (UDP) from VLAN 10.
                Hence the devices will not be able to resolve host names, at least not via UDP.

                Note that DNS may also use TCP. So you should use "TCP/UDP" as protocol in DNS rules.

                Best way to ensure, that all your devices use your local DNS is redirecting the traffic to your server.
                Here is my port forwarding rule for this purpose:
                2531d9f0-f545-48c0-8957-2bc8bc6815ac-grafik.png

                My Unbound is listening on localhost.
                With this rule no matter, which server the client requests, it is rediected to Unbond and the client gets the respond from it with the origin requested IP as souce IP and is happy.

                As you can see, I do the same with NTP.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.