Unable to select gateway group in static route

  • Hi,
    I have a pfSense with a single WAN and two IPSEC connected to a remote host. The remote host has two different WANs so we have two IPSEC up.
    I need to create a static route to the remote subnet that will use both the IPSEC and manage failover. So I created a gateway group with the the IPSEC (most fast as tier 1, the backup as tier 2) and now I need to create a static route that sends traffic to the remote gateway group. But in static route I can select single gateways (the two I defined as remote gateway via the two IPSEC tunnel), but I can't select the gateway group.

    So how wan I manage routing to the remote endpoint in this scenario? What's wrong in my configuration?

    p.s my IPSEC are routed...

  • Gateway groups cannot be used in static routes. You have to direct the traffic by policy routing rules.

  • Rebel Alliance Developer Netgate

    You will need to use a dynamic routing protocol for that, like BGP or OSPF, on both IPsec tunnels on both endpoints.

    Otherwise you can't be sure the other side will route back the same way.

  • @jimp I'm sure the other way route same way, because I've two tunnels and I if a tunnel is down the other side will route on the remaining one only, of course. It's a Fortigate, I'm sure about what is doing. Is OSPF mandatory to perform this with pfSense, or was a suggestion related to this possible problem?

    I'm not using OSPF because I do not want to propagate to the pfSense node the entire routing area that the Fortigate know. I only need that the pfSense know the local subnet of the FG and vice-versa. Is there any way to perform this?

  • Rebel Alliance Developer Netgate

    You will need a routing protocol of some kind, there isn't likely to be any other way connecting to a third party could manage two separate tunnels which are up all the time.

    The failover is much slower but you could maybe get away with only having one tunnel set to use a hostname for the remote gateway, and Dynamic DNS on the Fortigate side set to switch the hostname depending on which WAN is preferred at the time. That's assuming Fortigate supports that kind of function for Dynamic DNS.

Log in to reply