Multi-wan and dynamic routing.

mrpsycho · May 4, 2018, 9:45 PM

Hello,

i have a situation:

pfSense box has 1 WAN and 2VPN for crossing provider's firewall.

and question is:
is it possible to set up dynamic routing?

i mean, if some resource is not setting up connection, pfSense then changes routes to another Interface.
Starts from WAN, and then, if there is a problem, it sends to one of VPNs?

now i'm routing it with static route table… but, cause our government blocks addresses by IP blocks, table is getting very big and i need a solution how to automate it.
so, me and my colleagues are suffering from it, cause we can't use google(yep, even google!), zeplin, slack and other great things.

I know about BGP... and as i know it has to have a static list of routes, which will be addressed to another router on the other endpoint of VPN.
maybe there are some more solutions?
![Новый рисунок (1).png](/public/imported_attachments/1/Новый рисунок (1).png)
![Новый рисунок (1).png_thumb](/public/imported_attachments/1/Новый рисунок (1).png_thumb)

Derelict · May 4, 2018, 9:51 PM

if there is a problem

The gateway/circuit is either up or down.

There is no monitoring of whether a connection attempted out of an "up" gateway/interface succeeds or not so the short answer is probably "No."

If you have specifc things that should work out a gateway but do not for some reason, it will be on you to identify that traffic and send it out gateways that do work for it.

There might be other things that can be attempted depending on the actual definition of "if there is a problem." More information necessary.

our government blocks addresses by IP blocks, table is getting very big and i need a solution how to automate it.

Hmm. Sorry. I'd just route everything through the VPN if it was me and make exceptions for things you want to go out the clear interface.

mrpsycho · May 5, 2018, 8:58 AM

as i know, in TCP case connection is setting up a "tunnel", so "if there is a problem" could be checking a succeed connection within 150ms, for example.
in case of UDP, it just sends back answer datagram… so, there too it could be a check by returning datagrams.

also, sending one ICMP before any tcp/udp connections will not add a lot more noise and check transfer of its icmp... and cache this route for 1 day, for example.

i don't think that ruling ALL traffic thru vpn is a good idea. We don't have limitations about resources, and torrents sometimes needed for legal purposes.
and passing it thru VPN... it will work very slow.

Derelict · May 5, 2018, 5:12 PM

There is no facility in pfSense to do that. The gateway is either up or down and the monitoring is done with ICMP echos (pings) to the gateway monitor IP address.

You will been another multi-wan solution to do what you want to do, if one exists.

mrpsycho · May 7, 2018, 10:20 AM

ok.

so, how works this:

i mean, what trigger level does?
Does it mean, that it works only for "Monitored GW IP"'s?

Derelict · May 7, 2018, 3:21 PM

i mean, what trigger level does?
Does it mean, that it works only for "Monitored GW IP"'s?

Yes. And only ICMP/ping.

mrpsycho · May 7, 2018, 6:40 PM

but….

if i put all three in one tier.... it should do "load balancing" via round robin.
so, if one connection fails, another one should go over tunnel... correct?

Derelict · May 7, 2018, 7:35 PM

Yes, but you initially indicated you wanted some other factors besides ICMP to the gateway monitor address to be used as the determination of up/down status.

mrpsycho · May 7, 2018, 10:41 PM

other factors are just examples….

thanks!

will try to create "load balancing"