How to make pfsense box use different route to the default gateway
-
** not sure if this belongs here as a multi-wan routing issue, or under the VPN **
I have
- 2 x VPNs in a gateway pool - as the default route (hard down configured switching)
- only exception services routed via the WAN
- resolver is configured to go over the wan interface only (but doesn't seem to impact the issue if including the VPNs or not)
If both services are up, or one of them drops but subsequently recovers, everything works fine.
The problem is, if both VPNs should go down at the same time,
it is not possible for the gateway to come back up because it loses the default route.- the vpns are configured with the hostname (as it is a pool) rather than individual IPs
I suspect, when both services go down,
the default route is gone and openvpn is unable to resolve the hostnames to re-establish the connection.
but i want to block general internet access if the vpn is down, therefore i don't include the wan in the pool.If my suspension is correct, how can i make openvpn local to the localhost has dns server, or what else might be causing this
*** please see update below ***
-
Hello!
Would it work to let the WAN be the default route and then policy route all of your VPN gateway group traffic?
John
-
I have confirmed the dns is resolved for the OpenVPN client on the pfsense box, as is name resolution from the CLI.
The problem is:
The pfsense box wants to use the default gateway for routing, but the gateway is down.... so it can't find a way out.I need to specify the pfsense box to route via the WAN as it's gateway, while everything else uses the default gateway of the being the gateway pool.
Only thing is; i can't figure out how to make my the pfsense box use WAN as it's gateway, instead of the default gateway.
-
Have you tried a static route for the DNS server(s) to route via the WAN?
-
@JohnKap I don't see how to do that from the gui.
destination network
gateway
disabled
descriptionare the only options.
in this case, i would need to specify the source address as the localhost
seems to be related to this
https://redmine.pfsense.org/issues/5476 -
Hello!
If not a static route, then maybe a floating rule out from This Firewall.
You may run into the redmine issue you linked or a similar recent issue discussed here :https://forum.netgate.com/topic/153691/problems-with-the-this-firewall-self-pf-macro-in-a-floating-rule-on-a-system-with-two-discreet-wan-interfaces/6
Both of those topics seem to contemplate multi WAN gw group environments. It sounds like you only have a single WAN interface.
John
-
- I have a single wan interface and 2x vpn failover connections.
- i created a floating block rule for icmp from any to any
- i then run ping and traceroute -i and the blocked source address is the openvpn client address from the tier 1 connection
- i then set the rule to pass icmp via WAN from the VPN1 address, but ping just hangs and traceroute times out
-
@gwaitsi hmmm. so i set the default gateway to automatic instead of the gateway pool and it seems to have solved the problem. The pf box now defaults over the wan, and the policies are correctly working. so i am happy.