Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AWS DirectConnect w/IPSec Failover

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 1 Posters 501 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TPCoMatt
      last edited by

      Hello,

      We have a Netgate/pfSense SG-8860 1U in router-only mode (i.e.: no NAT, and no firewall enabled / packet filtering turned off), and it is handling the BGP/Routing connectivity for our AWS DirectConnect ptp circuit.  Physically, it is already inside of the trusted network, so that's the reason why we're operating it in router-only mode.  We have a Meraki MX device as our firewall.

      I was hoping to configure an IPSec backup so that if DirectConnect goes down, the pfSense device will automatically failover to IPSec over the internet.

      On the AWS side, they will automatically switch to IPSec if DirectConnect goes down.

      I was wondering if anyone else has tried to tackle a similar issue and if you have any pointers/suggestions.

      Based on some other things I read, I've set up a 'Gateway Group' such that the DirectConnect gateway is 'Tier 1' and the IPSec Gateway is 'Tier 2'. I also set each of the gateway's 'weight' to 1 and 5, respectively in the advanced settings. I'm not sure how to actually use the Gateway Group, if at all (i.e.: does pfSense automatically use it, because it's there?).

      Any assistance would be greatly appreciated! Thanks!!

      Here's some info on our interfaces:
      What came out-of-the-box as "WAN" is connected to our LAN, on a 192.168.x.y/24 IP
      We've designated one of the OPT ports to be the physical connection to the ISP for PTP, on a 169.254.x.y/30 IP, w/VLAN tag (per AWS's requirement)
      We've designated another of the OPT ports to be part of our MGMT/monitoring network

      1 Reply Last reply Reply Quote 0
      • T
        TPCoMatt
        last edited by

        -bump-

        Hello All,

        I just wanted to bump my old topic, to see if anyone has had a similar need / if anyone has architected anything similar to what we're trying to achieve.

        Any assistance would be appreciated!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.