Two gateways on one WAN interface, failover not working



  • Hello. I am new to Pfsense. I help my local school with networking and I need to setup failover on two ISP providers. Their password protected modems are connected to one switch and they are on network 10.3.8.0/24 ISP1 has an IP address of 10.3.8.1 and ISP2 has an address 10.3.8.99. My LAN is 172.16.0.0/24. I have tried to set the wan interface to address 10.3.8.2 and set the primary gateway to ISP1. and then I have set up the second gateway in the routing/gateways for that same WAN interface. After that, I have created the gateway group that load balances between gateways. Load balancing doesn't work. When I tied to set up failover, so the priority was on the ISP2. It still hasn't worked. I also have edited the main rule in the firewall to use the gateway group. It kept using the ISP1. When I have switched the default gateway for the wan interface to ISP2. It has routed via ISP2. Also from ISP1 to 10.3.8.2 is there set up the external IP. So when you send packets to that IP, the ISP will route it to 10.3.8.2. When default WAN on the wan interface is ISP1 it works fine (port forwarding from wan to client pc in LAN), but slower speed overall because this is slower ISP.
    So what I want:

    I want to have on the wan interface IP 10.3.8.2
    I want to use ISP2 (10.3.8.99) as the primary gateway
    I want to have a failover to ISP1 (10.3.8.1) when ISP2 goes down
    ISP1 provides this external IP, so I want to be able to port forward it through NAT

    Also If do you help me. If you have the time, please explain it to me why my configuration doesn't work. Thanks.


  • LAYER 8 Rebel Alliance

    You can't have two (or more) WANs with the same subnet or gateway.

    -Rico



  • This post is deleted!


  • @Rico My ISP will occasionally hand me two IPs on the same subnet (dual 1G over fiber) which brings everything crashing down. Are there any workarounds?


  • LAYER 8 Rebel Alliance

    A workaround could be to put a small/cheap router between one of your WANs and pfSense, aka double NAT.
    As long as pfSense sees only unique Subnets you are fine.

    -Rico


Log in to reply