Does pfSense FAILOVER really work ? (1 LAN + 2 OpenVPN clients)



  • Hi everyone!

    I'm going to be as clear as possible, thanks.

    My computer is on a LAN (192.168.2.X).
    I have 2 WAN interfaces, WAN0 & WAN1 (192.168.0.1 & 192.168.1.1).

    Each WAN interface has an associated working OpenVPN client interface :
    OpenVPNclient0 (ovpnc1) for WAN0  (VPN service provider 0)
    OpenVPNclient1 (ovpnc4) for WAN1  (VPN service provider 1)
    WAN0 and WAN1 interfaces are enabled.

    If one  of the OpenVPNclient interface  is enabled, then my internet connection works perfectly.
    (In "Firewall/NAT/Outbound", I've created the rules so my LAN can access to the internet through the VPNs).
    If both of the OpenVPNclient interfaces are enabled, then there's a conflict, my computer cannot access to these 2 VPNs connections simultaneously.

    So since I want to tell pfSense to automatically switch all internet traffic from one WAN/VPN connection to the other one, if one fails (my priority),
    and use load balancing if the 2 VPN connections work (ideally), I tried to follow these instructions and adapt them to support OpenVPN connections
    for load balancing and failover : http://www.tecmint.com/how-to-setup-failover-and-load-balancing-in-pfsense

    I've created 4 gateways associated to their interfaces:

    G_WAN0
    G_WAN1
    G_OpenVPNclient0
    G_OpenVPNclient1

    In "Gateway Groups", I've tried many combinations unsuccessfully, such as :

    G_WAN0 never
    G_WAN1 never
    G_OpenVPNclient0 tier1
    G_OpenVPNclient1 tier1
    Member down

    G_WAN0 never
    G_WAN1 never
    G_OpenVPNclient0 tier1
    G_OpenVPNclient1 tier2
    Packet Loss

    G_WAN0 never
    G_WAN1 never
    G_OpenVPNclient0 tier2
    G_OpenVPNclient1 tier1
    Packet Loss

    After reading the forum messages, I went to "System/Advanced/Miscellaneous/Default gateway switching"
    …and have checked "Enable default gateway switching"
    ...but it didn't work.

    I also went to each of my "VPN/OpenVPN/Clients/Edit"
    ...and have checked "Don't pull routes"
    ...but it didn't work.

    Of course, I don't want a "tunnel", I mean when one OpenVPN client connects to its server through the other OpenVPN already connected client.

    What's wrong??
    What steps should I follow?

    Thank you very much to those who'll take the time to answer, I really appreciate it.

    Have a nice day!

    2.3.2-RELEASE-p1 (amd64)
    built on Tue Sep 27 12:13:07 CDT 2016
    FreeBSD 10.3-RELEASE-p9



  • up



  • You doing it wrong.

    You SHOULD NOT mix WAN and OpenVPN interfaces in one gateway group.
    Create GG for WAN interfaces, make sure you have working DNS on both interfaces (so DNS works with failure of WAN1). Create a rule on LAN utilizing this GG as gateway.

    You DON'T need two OpenVPN connections for failover, to allow one OpenVPN client connection to connect to server through failover interface - bind OpenVPN client to localhost, not to WANx interface.

    After you make working WAN failover - continue to make working dual VPN, but note: if done properly, you should not loose connection with Internet when both your VPNs is connected.



  • @pan_2:

    bind OpenVPN client to localhost, not to WANx interface.

    My VPN client is binded to a gateway group with failover. Am I wrong?



  • @pan_2:

    You DON'T need two OpenVPN connections for failover, to allow one OpenVPN client connection to connect to server through failover interface - bind OpenVPN client to localhost, not to WANx interface.

    Sorry but you don't understand, I have subscribed to 2 different VPN providers, each one having a dedicated WAN line.
    Of course I don't need 2 OpenVPN connections for failover, it's just that I want to use 2 different VPN providers, each one having a dedicated WAN line, and use pfSense for failover.



  • Problem lies in fact what you can't make your VPN connections to work simultaneously AND you had incorrect understanding of how failover should be configured.
    IF any of your VPN providers can be accessed through any WAN - make configuration as I said earlier. This will give you working WAN failover and working VPN connection over any WAN interface.
    AFTER that you can make second VPN, bind them to respective WAN interfaces and try to make them work as you wish.
    This is really best way for you, you will deal with problems one by one.



  • When I add the 2nd VPN, I get this error message in the OpenVPN log :

    "Mar 5 11:01:57 openvpn 70607 ERROR: FreeBSD route add command failed: external program exited with error status: 1"

    How can I fix this?

    Thanks



  • Without technical information no one could fix it.
    Provide as complete info as possible (except keys and accounts, of course, mask them), don't forget about logs.



  • I think it won't be necessary:

    When I enable one (any of the 2) OpenVPN clients, pfSense adds a route to the routing table, everything works fine.
    Now if I enable a 2nd OpenVPN client, pfSense cannot add an additional route, there's a conflict with the first one.

    I've noticed there's a "Don't pull routes" option in the OpenVPN client configuration but I don't know how to use it.
    It says "Bars the server from adding routes to the client's routing table This option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface".

    What should I do? (the principle)

    Thanks



  • Your only option (in your particular configuration) is to somehow make sure your secondary OpenVPN connection would not start until your WAN fails.



  • I have four openvpn client connections, all interface associated. Always UP.
    I have two wan connections.

    I have a failover gateway group between WAN1 and WAN2.

    Every openvpn client is using the failover group as outbound interface.
    Every openvpn client has the pulled routes disabled. I configured outbound NAT rules for every VPN and disabled the IPV6 gateways for the VPN interfaces.

    I have a gateway group load balacing between two VPN and a policy route rule for an alias of internal hosts.

    Everything works fine. The VPN clients failover on the second WAN and the alias hosts group is balanced between the VPN clients.



  • @Fabio72:

    Every openvpn client is using the failover group as outbound interface.
    Every openvpn client has the pulled routes disabled. I configured outbound NAT rules for every VPN and disabled the IPV6 gateways for the VPN interfaces.

    This is most critical part of your configuration.