Dual WAN - Time Based Gateway Changes

  • Ok, so I'm having a little trouble figuring out the best way to get this working.  I have two Internet connections.  A Satellite link that I am still under contract for with a FAP (Fair Access Policy) Window that allows unlimited bandwidth between 10pm and 4am.

    I also have a new ISP connection that is line of sight, but lower bandwidth than the Satellite connection.

    So what I'm "trying" to do is setup one of my computers on the internal LAN to cut over to the Satellite connection during the window and then back when the window closes.

    I was able to setup a policy based routing rule that works great.  I enable the rule, and my computer is routed out the Satellite connection.  Disable the rule and it is back on the line of sight connection.

    So the hurdle I ran into is when I went to setup a time schedule, pfsense complained that I can't have a time based rule when it affects a default gateway.

    Is there anyway to work around this manually?

    The other approach I was considering taking is to have a virtual IP on the LAN interface that I can point the computer to for a DG and have everything coming into that virtual IP routed out the Satellite connection.  Then automate the changing of IP configuration on the internal computer.  I haven't been able to get the firewall to route traffic in that fashion successfully.

    Advice or input on either solution would be MUCH appreciated.



  • Easy approaches are the best :)

    I would create a failover-pool with the satellite link as primary connection.

    Then buy a timer for the power of the satellite receiver.
    Like this one: http://home-solutions.hsn.com/improvements-digital-timer_pf-1031862_xp.aspx?club_id=1031862&sz=888&sf=HW0060&rdr=1&cm_mmc=Shopping Engine--NexTag--Home%20Solutions-_-Improvements%20Digital%20Timer%203957865

    And just set it so the sat receiver has no power for the time you dont want to use it ;)

  • I can see how that would work, but I can't imagine there is no other way to do it.  There has got to be a way to setup a time based rule that can change the DG.  Or have traffic that hits the firewall on a particular virtual IP be sent out the Sat connection.

  • On 2.0 in about 2 days will be the functionality through schedules.

  • Ermal,

    I believe I am currently on 1.2.2.  Will it be on the 2.0 release via a CVS snapshot?  or is this a full 2.0 release?



  • Its just a snapshot and only in the ALPHA based on 8 so not really suitable for now for production.
    I will see if i can merge it on the 7.2 builds.

  • I'd be happy to try it out.  I grabbed the latest snapshot, but I think it was a 7.2 build. Can you point me at the latest ISO that would have it?



  • Great!  I'll try this out and see how the time based gateway rules work.  Thanks again for pointing me at these.

  • Quick question, will the config from the 1.2 system I have work with the new version?  Or do I need to manually rebuild all the rules and config etc?

  • It should upgrade correctly.

  • Well the policy based routing seems to be up and working.  The only thing that is not working right now seems to be the RRD traffic graphs.

    I've tried a few different CVS builds.  But they all seem to have the same issue.  I'm currently using:pfSense-Full-Update-2.0-ALPHA-ALPHA-20090505-1808.tgz

    I get the following error: pfSense php: /status_rrd_graph_img.php: Failed to create graph with error code 1, the error is: ERROR: No DS called 'inpass' in '/var/db/rrd/wan
    -traffic.rrd'/usr/bin/nice -n20 /usr/local/bin/rrdtool graph /tmp/wan-traffic.rr
    d-16h.png –start -57600 -e -60 --vertical-label "bits/sec" --color SHADEA#eeeee
    e --color SHADEB#eeeeee --title "hostname - WAN :: Traffic - 16 hours - 1 minu
    te average" --height 200 --width 620 -x "MINUTE:30:HOUR:1:HOUR:1:0:%H" DEF:wan-i
    n_bytes_pass=/var/db/rrd/wan-traffic.rrd:inpass:AVERAGE DEF:wan-out_bytes_pass=/
    var/db/rrd/wan-traffic.rrd:outpass:AVERAGE DEF:wan-in_bytes_block=/var/db/rrd/wa
    n-traffic.rrd:inblock:AVERAGE DEF:wan-out_bytes_block=/var/db/rrd/wan-traffic.rr
    d:outblock:AVERAGE CDEF:"wan-in_bits_pass=wan-in_bytes_pass,8," CDEF:"wan-out_b
    " CDEF:"wan-in_bits_block=wan-in_bytes_block,8,"
    " CDEF:"wan-in_bytes=wan-in_byt
    es_pass,wan-in_bytes_block,+" CDEF:"wan-out_bytes=wan-out_bytes_pass

  • So, I'm finding that while the rules work, when the policy based routing cuts over, the actual traffic doesn't cut over for a while.  If I reset the state table, then everything routes properly.  Is there any way to do that via a script or shell command?  Then I could setup a simple cron job to reset the state table after the WAN cutover.

    Any ideas?

  • What you are seeing is normal intended behaviour, I am sure you can kill the traffic, but the failover is always gradual so that stuff just keeps working.

    I don't want filter reloads at work to shoot down the box.

  • If you are using schedules and polict-routing rules it should be fixed in last snapshots.