Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    System Routes vs. VPN Kernel Routes - pfsense v2.2.6

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 3 Posters 977 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      relfie
      last edited by

      Hi All,

      I have a scenario where one of our customers want’s automatic failover between a layer-2 circuit (primary) and VPN tunnel between us - the destination subnet will be the same.

      Configuring a target gateway and static route in menu System -> Routing is possible does not override the IPSEC VPN tunnel.  It appears that once StrongSwan has done it’s thing and created the SA’s between our endpoint and the customers – the IPSEC routes take precedence over System routing.

      Is there a way to reverse this order of precedence or to automate disabling VPN tunnel if remote IP gateway is available and enabling if the remote IP gateway becomes unavailable.

      In more commercial routing/firewall scenarios this is known as IPSLA.

      Kind regards,

      Mark

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Sounds like your trying to reinvent the wheel here, why does normal multiwan failover not work for your scenario?

        https://doc.pfsense.org/index.php/Multi-WAN

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • G
          georgeman
          last edited by

          I believe he's talking about regular routing between subnets, not multi-WAN.

          As you mentioned, the SAs take precedence over the system routing table.

          The only way (I can think of) to achieve failover would be to setup a GRE tunnel over IPsec transport mode. That way, you can handle the routing yourself, for example with OSPF. The IPsec tunnel would always be active but regular routes would be in charge of choosing the path

          If it ain't broke, you haven't tampered enough with it

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Sure seems like multiwan, one is his primary his layer 2 primary circuit to get somewhere and other is a vpn connection to that somewhere over an internet connection I would assume.

            So just treat it like 2 wan connections.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.