• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Unable to select gateway group in static route

Scheduled Pinned Locked Moved Routing and Multi WAN
5 Posts 3 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    NickFree
    last edited by NickFree Mar 18, 2020, 10:16 AM Mar 18, 2020, 10:11 AM

    Hi,
    I have a pfSense with a single WAN and two IPSEC connected to a remote host. The remote host has two different WANs so we have two IPSEC up.
    I need to create a static route to the remote subnet that will use both the IPSEC and manage failover. So I created a gateway group with the the IPSEC (most fast as tier 1, the backup as tier 2) and now I need to create a static route that sends traffic to the remote gateway group. But in static route I can select single gateways (the two I defined as remote gateway via the two IPSEC tunnel), but I can't select the gateway group.

    So how wan I manage routing to the remote endpoint in this scenario? What's wrong in my configuration?
    thanks

    p.s my IPSEC are routed...

    1 Reply Last reply Reply Quote 0
    • V
      viragomann
      last edited by Mar 18, 2020, 3:06 PM

      Gateway groups cannot be used in static routes. You have to direct the traffic by policy routing rules.

      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by Mar 18, 2020, 3:28 PM

        You will need to use a dynamic routing protocol for that, like BGP or OSPF, on both IPsec tunnels on both endpoints.

        Otherwise you can't be sure the other side will route back the same way.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        N 1 Reply Last reply Mar 24, 2020, 9:30 AM Reply Quote 0
        • N
          NickFree @jimp
          last edited by Mar 24, 2020, 9:30 AM

          @jimp I'm sure the other way route same way, because I've two tunnels and I if a tunnel is down the other side will route on the remaining one only, of course. It's a Fortigate, I'm sure about what is doing. Is OSPF mandatory to perform this with pfSense, or was a suggestion related to this possible problem?

          I'm not using OSPF because I do not want to propagate to the pfSense node the entire routing area that the Fortigate know. I only need that the pfSense know the local subnet of the FG and vice-versa. Is there any way to perform this?

          1 Reply Last reply Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Mar 30, 2020, 1:57 PM

            You will need a routing protocol of some kind, there isn't likely to be any other way connecting to a third party could manage two separate tunnels which are up all the time.

            The failover is much slower but you could maybe get away with only having one tunnel set to use a hostname for the remote gateway, and Dynamic DNS on the Fortigate side set to switch the hostname depending on which WAN is preferred at the time. That's assuming Fortigate supports that kind of function for Dynamic DNS.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received