[SOLVED] OpenVPN as failover for dedicated MetroE WAN fails

  • I'm currently working with this in a lab environment only.  It's a very close approximation of our point to multipoint MetroE WAN.  I do have the ability to adjust the hardware topology if needed.

    1.  I have pfsense sitting behind Cisco routers on both sides.  pf has manual outbound NAT and allow any rules on the interfaces as I do not need to filter traffic at the this level.  No static routes on pfsense
    2.  OpenVPN server on one side and client on the other, VPN is up.
    3.  Gateway group on both sides has ME WAN as tier 1 and OpenVPN as Tier 2
    4.  allow any rules have the gw groups setup

    Pulling the WAN cable does not appear to cause a failover event.  I cannot ping over the VPN and cannot browse resources over the VPN.

    What am I missing?

  • Disabling negate rules on both sides of the VPN in System>Advanced>Firewall & NAT fixed the issue as policy routing was not being applied properly.

    Thanks to PiBa-NL in ##pfsense on freenode!