Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to select gateway group in static route

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NickFree
      last edited by NickFree

      Hi,
      I have a pfSense with a single WAN and two IPSEC connected to a remote host. The remote host has two different WANs so we have two IPSEC up.
      I need to create a static route to the remote subnet that will use both the IPSEC and manage failover. So I created a gateway group with the the IPSEC (most fast as tier 1, the backup as tier 2) and now I need to create a static route that sends traffic to the remote gateway group. But in static route I can select single gateways (the two I defined as remote gateway via the two IPSEC tunnel), but I can't select the gateway group.

      So how wan I manage routing to the remote endpoint in this scenario? What's wrong in my configuration?
      thanks

      p.s my IPSEC are routed...

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Gateway groups cannot be used in static routes. You have to direct the traffic by policy routing rules.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          You will need to use a dynamic routing protocol for that, like BGP or OSPF, on both IPsec tunnels on both endpoints.

          Otherwise you can't be sure the other side will route back the same way.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          N 1 Reply Last reply Reply Quote 0
          • N
            NickFree @jimp
            last edited by

            @jimp I'm sure the other way route same way, because I've two tunnels and I if a tunnel is down the other side will route on the remaining one only, of course. It's a Fortigate, I'm sure about what is doing. Is OSPF mandatory to perform this with pfSense, or was a suggestion related to this possible problem?

            I'm not using OSPF because I do not want to propagate to the pfSense node the entire routing area that the Fortigate know. I only need that the pfSense know the local subnet of the FG and vice-versa. Is there any way to perform this?

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              You will need a routing protocol of some kind, there isn't likely to be any other way connecting to a third party could manage two separate tunnels which are up all the time.

              The failover is much slower but you could maybe get away with only having one tunnel set to use a hostname for the remote gateway, and Dynamic DNS on the Fortigate side set to switch the hostname depending on which WAN is preferred at the time. That's assuming Fortigate supports that kind of function for Dynamic DNS.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.