A static route over two (VPN) interfaces - how?

  • Hello everyone!

    I'm creating a very… unique setup using two pfSense (well, 3, but the third is a CARP with the second) firewalls/routers, and two internet connections.

    The first is in a colo out on the Internet with a static IP block pointed at it (let's call it for simplicity), called "rr1". The second is at my house with two Internet connections, called "dcr1". There is an OpenVPN tunnel between rr1 and dcr1 over each Internet connection.

    On the home side I have standard multi-WAN load balancing working well, but what I want to have happen is that incoming traffic for travels from the first router (rr1) across one or the other OpenVPN connection, load balanced, to the second router (dcr1), where it is terminated as an IP alias and 1-to-1 NAT'd. In short, I want to balance my incoming traffic from rr1 across both Internet connections.

    A basic diagram would be:

                                -> OpenVPN tunnel A ->
    req_for_1.1.1.1/24 -> rr1 -|         or           |-> dcr1 -> [NAT to host ] -> firewall rule(s) -> host
                                -> OpenVPN tunnel B ->

    I've got this 90% configured, and it works fine over a single OpenVPN tunnel. But my trouble is getting that incoming traffic to balance between the two OpenVPN tunnels.

    It would seem that my ideal solution is simply to have a static route on rr1 which points at a gateway group of the two dcr1 OpenVPN endpoints, rather than a single gateway. However, pfSense doesn't allow this. Since I have it configured that traffic returns from dcr1 out the same OpenVPN tunnel, load balancing just the incoming traffic as shown by the arrows in the above diagram should be all I need, as long as pfSense on rr1 can keep track of individual TCP sessions and which VPN they went over, so the load balancing is on a session level.

    Is there any way to get this to work, or perhaps a different X to my Y to get this traffic balanced across the two OpenVPN interfaces?

    Edit: Well, it looks like I solved my original problem with a policy-based route on the rr1 side. Now it load balances, however it doesn't seem to do so intelligently. But that's another problem. Hopefully this helps someone else eventually.

Log in to reply