High Availability with Multi-WAN and Multi-LAN



  • Hi,

    I currently have a setup similar to the example configuration listed here
    https://docs.netgate.com/pfsense/en/latest/book/highavailability/multi-wan-with-ha.html

    The gateway group is setup for failover so that if WAN1 goes down outbound traffic goes over WAN2 instead. I don't have a DMZ setup as per the example. All of this is setup and working properly.

    However, instead of the DMZ described in the example, I would like to have a second LAN interface except I would like devices on this LAN2 to use WAN2 by default and failover to WAN1.

    However, the instructions specifically state:

    //
    With Multi-WAN a firewall rule must be in place to pass traffic to local networks using the default gateway. Otherwise, when traffic attempts to reach the CARP address or from LAN to DMZ it will instead go out a WAN connection.

    A rule must be added at the top of the firewall rules for all internal interfaces which will direct traffic for all local networks to the default gateway. The important part is the gateway needs to be default for this rule and not one of the failover or load balance gateway groups. The destination for this rule would be the local LAN network, or an alias containing any locally reachable networks.
    //

    How would I accomplish this since I'm explicitly told not to use the failover gateway group?


  • Rebel Alliance Developer Netgate

    You can use a gateway group for other traffic, you just need the rule without the gateway group above that, so that traffic between the LANs can reach where it needs to go. Assuming you want the LANs to be able to reach each other.



  • Thanks for the clarification. I actually don't need or even want the two LAN segments to be able to reach each other. So in that case, does this mean then that in each LAN segment the firewall rule can use the respective gateway group in the firewall rule?


  • Rebel Alliance Developer Netgate

    In that case you'll want rules at the top of each tab to block traffic from reaching the other LAN (also without a gateway because block rules don't need gateways).

    Don't rely on the gateway being there as the only thing keeping the LAN(s) isolated, since if the gateway/group is down, it will be omitted from the rule by default, so then traffic could flow between them. There is an option to change that behavior, but it's still a bad security practice.



  • Great. That makes sense and agree with the reasoning.
    Just to make sure I understand correctly then:
    In the Firewall rules, I will create two rules in each LAN segment. The top rule explicitly blocking all traffic from reaching the other LAN segment (without a gateway). Below that the allow rule using the respective gateway group. Is that right?


  • Rebel Alliance Developer Netgate

    At a minimum, yes. You can get much fancier/more fine-grained than that if you like.


Log in to reply