Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Interface Shutdown - similar to Cisco Command

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 468 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      netintegrity
      last edited by

      Hello all,

      Been a user of Cisco Routers / Firewalls / as well as many others for many years
      Have been using PFSense for over 7 years now, done decent setups e.g. multisite / fail over / OpenVPN / IPSec etc….

      The site I refer to in this post is running the latest version of PFSense.

      I had a recent issue in an international PFSense connected Wide Network (which has been running for a couple of years now), where the ISP on the Primary WAN link was bouncing/flapping (due to a fault with the ISP). As per normal fail over systems in place, secondary ISP kicked in, basically everything failed over, however with the Primary WAN link flapping like it was and no favorable Tech ETA in sight, it was recommended that we disable (shutdown) the Primary WAN interface. As no one technical was onsite, we could not just remove the WAN Link NTU.

      Now whilst I have been using PFSense for many years, this was the first time that I needed to perform this action.

      Now on Cisco Equipment I would normally issue a SHUTDOWN on the interface, in most cases, job done.

      So when it came to the PFSense, the only option available is to Disable the WAN Interface - a bit extreme and fraught with possible issues.

      Any better ways of doing this????

      Ideally what we are trying to achieve is a soft shutdown of the link so that we have control, and should the ISP correct the issue, be able to bring it back online.

      Thinking through it, what I am trying to achieve is a place a firewall block on the WAN interface, blocking all ports/traffic, which would mean that the WAN link (Primary) would see the Gateway down, and force the failover functionality implemented.

      Agreed, I could go and do this on the firewall, but thinking through it, ideally the better way is a single Tickbox which performed the following operations

      1. Blocked all traffic on this Interface (avoids changing rules on the fly)
      2. Performed a service restart on OpenVPN / IPSEC (forcing them to drop/restart)
      3. Performed a State Reset on any connections on the Primary WAN interface
      4. Updated routes (if required)

      Any thoughts would be appreciated....have looked around the web for last few days and found a few asking similar, but no real answers

      Regards

      Bob

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        Perhaps I'm missing something, but what's the difference between doing a shutdown and disabling the interface?  They both do the same thing.  When you want to restore the interface, you enable the interface, just as you'd have to do a no shut on the Cisco gear.  The only difference I can see is with Cisco, if you don't write the configuration, a reboot will restore the interface.  I don't think that would work with pfSense.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • H
          heper
          last edited by

          You can also mark a gateway 'offline' (gateway settings)

          1 Reply Last reply Reply Quote 0
          • N
            netintegrity
            last edited by

            JKnott,

            Thanks for the prompt reply.

            No I don't think you are missing anything, your expectation was exactly the same as mine. Disable the interface, and all should be good.

            As part of the Failover, I am using the Gateway group in the

            • OpenVPN configuration
              LAN Rules - pointing it to the Gateway Group

            Users have access to the Internet no issues - they have failed over correctly

            However

            Inbound OPEN VPN connections fail
            Outbound OpenVPN Connections fail
            Inbound Forwarded traffic fails (actually comes in, but does not return traffic)

            One of the issues, is that with disabling the Interface, this interface is no longer present as part of the Gateway Grouping
            What does resolve the issues above is

            Enabling the interface (but removing the Physical WAN Connection (NTU connection)
            or
            Manually changing the Default Gateway to the secondary WAN Link (yes I am aware of the Automatic Default Gateway switch, however it clearly states it should not be necessary if Gateway Groups are used).

            Hence my question…..it appears that disabling the Primary WAN, appears to "screw" up the Gateway Groups.

            Now having said that, I want to setup a LAB enviroment and check each item again (most of the above was on a system that was down). Alternatively, I may get a chance to perform a test on this exact system, when I have technical assistance back at the main PFSense

            Any thoughts (or corrections) are appreciated....

            Regards

            Bob

            1 Reply Last reply Reply Quote 0
            • N
              netintegrity
              last edited by

              Heper,

              Thanks for that…..one I had not considered and will probably perform exactly what I need....

              In fact as I was typing, on that same system, I just marked the Gateway Offline and put the Gateway Default back to the Primary Link (which has been marked as down)

              The results were

              • Forwarded Ports to the Secondary WAN link  - responsive
                Inbound OpenVPN connections working
                Outbound OpenVPN Connections working
                Everything else working as it should in a failover situation.

              Heper,

              Thanks that appears to do exactly what I need…..

              Regards

              Bob

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.