Help with Multi-WAN for Failover on SG-3100?

  • Hi,

    I have a Netgate SG-3100.

    I am trying to setup a multi-WAN configuration in failover mode.

    My main internet connection (Fiber, using PPPoe) is plugged into the WAN port.

    The backup internet connection (4G/LTE, using DHCP) is plugged into the OPT1 port.

    I have been attempting to follow the Multi-WAN section in the pfSense book, and it seems to be working right now.

    First, I added the new interface for OPT1, and configured it as DHCP:

    alt text

    Second, I created a new Gateway Group:

    alt text

    I then edited one of the LAN firewall rules to use that gateway group:

    alt text

    My question:

    1. Does the above setup look correct? Anything I've missed?
    2. I am using the DNS resolver, and the Google DNS servers ( and The pfSense book talks about configuring DNS servers per WAN connection, and static routes, and all that. I confess I'm a little confused by what it says and didn't do it - but it seems to currently work on the failover connection. However, what steps did I miss, and what is the impact here?
    3. I only edited the IPv4 LAN rule to set the gateway group. Is this the only rule I need to edit? What about other rules, or networks with more complicated firewall rules - do you need to set the gateway group for all?
    4. I have a 6in4 IPv6 tunnel setup to Hurricane Electric - I assume that won't work with this failover setting (since my external IP address changes). However, are there any issues with leaving it enabled when using this?


  • LAYER 8 Netgate

    That is less of a requirement now that the default gateway can be set to track the gateway group.

    Before that feature was added you wanted to set the gateway on DNS servers to force the use of one LAN or the other because the old default gateway switching carried a lot of baggage with it and many people did not want to enable it.

    If you set the default gateway to the pppoe_with_4g_failover gateway group in System > Routing and use the resolver you should be fine.

    That DNS rule at the bottom of the rule set makes little sense and will never be hit. If you really want to redirect all TCP/UDP 53 traffic to localhost you need to move that rule above the gw group rule.

  • Got it - so this is what I have for System > Routing -

    alt text

    I can definitely move the DNS rule higher-up. Oddly enough, it did seem to work before, but maybe that was chance.

    And in Firewall Rules do I need to set the "Gateway" field for the IPv6 default allow rule, or only the IPv4 rule (see third screenshot in post #1)?

  • LAYER 8 Netgate

    There is no need to set the gateway for IPv6 since there is only one possible route - the default route.

    If you were to, say, get native IPv6 and maintain the HE tunnel it might be necessary to start policy routing IPv6.

    I would change the default gateway IPv4 there from Automatic to the failover gateway group that best suits how you want the default IPv4 route to behave.