Does pfSense FAILOVER really work ? (1 LAN + 2 OpenVPN clients)
-
You doing it wrong.
You SHOULD NOT mix WAN and OpenVPN interfaces in one gateway group.
Create GG for WAN interfaces, make sure you have working DNS on both interfaces (so DNS works with failure of WAN1). Create a rule on LAN utilizing this GG as gateway.You DON'T need two OpenVPN connections for failover, to allow one OpenVPN client connection to connect to server through failover interface - bind OpenVPN client to localhost, not to WANx interface.
After you make working WAN failover - continue to make working dual VPN, but note: if done properly, you should not loose connection with Internet when both your VPNs is connected.
-
@pan_2:
bind OpenVPN client to localhost, not to WANx interface.
My VPN client is binded to a gateway group with failover. Am I wrong?
-
@pan_2:
You DON'T need two OpenVPN connections for failover, to allow one OpenVPN client connection to connect to server through failover interface - bind OpenVPN client to localhost, not to WANx interface.
Sorry but you don't understand, I have subscribed to 2 different VPN providers, each one having a dedicated WAN line.
Of course I don't need 2 OpenVPN connections for failover, it's just that I want to use 2 different VPN providers, each one having a dedicated WAN line, and use pfSense for failover. -
Problem lies in fact what you can't make your VPN connections to work simultaneously AND you had incorrect understanding of how failover should be configured.
IF any of your VPN providers can be accessed through any WAN - make configuration as I said earlier. This will give you working WAN failover and working VPN connection over any WAN interface.
AFTER that you can make second VPN, bind them to respective WAN interfaces and try to make them work as you wish.
This is really best way for you, you will deal with problems one by one. -
When I add the 2nd VPN, I get this error message in the OpenVPN log :
"Mar 5 11:01:57 openvpn 70607 ERROR: FreeBSD route add command failed: external program exited with error status: 1"
How can I fix this?
Thanks
-
Without technical information no one could fix it.
Provide as complete info as possible (except keys and accounts, of course, mask them), don't forget about logs. -
I think it won't be necessary:
When I enable one (any of the 2) OpenVPN clients, pfSense adds a route to the routing table, everything works fine.
Now if I enable a 2nd OpenVPN client, pfSense cannot add an additional route, there's a conflict with the first one.I've noticed there's a "Don't pull routes" option in the OpenVPN client configuration but I don't know how to use it.
It says "Bars the server from adding routes to the client's routing table This option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface".What should I do? (the principle)
Thanks
-
Your only option (in your particular configuration) is to somehow make sure your secondary OpenVPN connection would not start until your WAN fails.
-
I have four openvpn client connections, all interface associated. Always UP.
I have two wan connections.I have a failover gateway group between WAN1 and WAN2.
Every openvpn client is using the failover group as outbound interface.
Every openvpn client has the pulled routes disabled. I configured outbound NAT rules for every VPN and disabled the IPV6 gateways for the VPN interfaces.I have a gateway group load balacing between two VPN and a policy route rule for an alias of internal hosts.
Everything works fine. The VPN clients failover on the second WAN and the alias hosts group is balanced between the VPN clients.
-
Every openvpn client is using the failover group as outbound interface.
Every openvpn client has the pulled routes disabled. I configured outbound NAT rules for every VPN and disabled the IPV6 gateways for the VPN interfaces.This is most critical part of your configuration.