AWS DirectConnect w/IPSec Failover

  • Hello,

    We have a Netgate/pfSense SG-8860 1U in router-only mode (i.e.: no NAT, and no firewall enabled / packet filtering turned off), and it is handling the BGP/Routing connectivity for our AWS DirectConnect ptp circuit.  Physically, it is already inside of the trusted network, so that's the reason why we're operating it in router-only mode.  We have a Meraki MX device as our firewall.

    I was hoping to configure an IPSec backup so that if DirectConnect goes down, the pfSense device will automatically failover to IPSec over the internet.

    On the AWS side, they will automatically switch to IPSec if DirectConnect goes down.

    I was wondering if anyone else has tried to tackle a similar issue and if you have any pointers/suggestions.

    Based on some other things I read, I've set up a 'Gateway Group' such that the DirectConnect gateway is 'Tier 1' and the IPSec Gateway is 'Tier 2'. I also set each of the gateway's 'weight' to 1 and 5, respectively in the advanced settings. I'm not sure how to actually use the Gateway Group, if at all (i.e.: does pfSense automatically use it, because it's there?).

    Any assistance would be greatly appreciated! Thanks!!

    Here's some info on our interfaces:
    What came out-of-the-box as "WAN" is connected to our LAN, on a 192.168.x.y/24 IP
    We've designated one of the OPT ports to be the physical connection to the ISP for PTP, on a 169.254.x.y/30 IP, w/VLAN tag (per AWS's requirement)
    We've designated another of the OPT ports to be part of our MGMT/monitoring network

  • -bump-

    Hello All,

    I just wanted to bump my old topic, to see if anyone has had a similar need / if anyone has architected anything similar to what we're trying to achieve.

    Any assistance would be appreciated!

Log in to reply