Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    How to make pfsense box use different route to the default gateway

    Routing and Multi WAN
    3
    8
    140
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gwaitsi last edited by gwaitsi

      ** not sure if this belongs here as a multi-wan routing issue, or under the VPN **

      I have

      • 2 x VPNs in a gateway pool - as the default route (hard down configured switching)
      • only exception services routed via the WAN
      • resolver is configured to go over the wan interface only (but doesn't seem to impact the issue if including the VPNs or not)

      If both services are up, or one of them drops but subsequently recovers, everything works fine.

      The problem is, if both VPNs should go down at the same time,
      it is not possible for the gateway to come back up because it loses the default route.

      • the vpns are configured with the hostname (as it is a pool) rather than individual IPs

      I suspect, when both services go down,
      the default route is gone and openvpn is unable to resolve the hostnames to re-establish the connection.
      but i want to block general internet access if the vpn is down, therefore i don't include the wan in the pool.

      If my suspension is correct, how can i make openvpn local to the localhost has dns server, or what else might be causing this

      *** please see update below ***

      1 Reply Last reply Reply Quote 0
      • S
        serbus last edited by

        Hello!

        Would it work to let the WAN be the default route and then policy route all of your VPN gateway group traffic?

        John

        1 Reply Last reply Reply Quote 0
        • G
          gwaitsi last edited by gwaitsi

          I have confirmed the dns is resolved for the OpenVPN client on the pfsense box, as is name resolution from the CLI.

          The problem is:
          The pfsense box wants to use the default gateway for routing, but the gateway is down.... so it can't find a way out.

          I need to specify the pfsense box to route via the WAN as it's gateway, while everything else uses the default gateway of the being the gateway pool.

          Only thing is; i can't figure out how to make my the pfsense box use WAN as it's gateway, instead of the default gateway.

          1 Reply Last reply Reply Quote 0
          • J
            JohnKap last edited by

            Have you tried a static route for the DNS server(s) to route via the WAN?

            G 1 Reply Last reply Reply Quote 0
            • G
              gwaitsi @JohnKap last edited by gwaitsi

              @JohnKap I don't see how to do that from the gui.

              destination network
              gateway
              disabled
              description

              are the only options.

              in this case, i would need to specify the source address as the localhost

              seems to be related to this
              https://redmine.pfsense.org/issues/5476

              1 Reply Last reply Reply Quote 0
              • S
                serbus last edited by serbus

                Hello!

                If not a static route, then maybe a floating rule out from This Firewall.
                You may run into the redmine issue you linked or a similar recent issue discussed here :

                https://forum.netgate.com/topic/153691/problems-with-the-this-firewall-self-pf-macro-in-a-floating-rule-on-a-system-with-two-discreet-wan-interfaces/6

                Both of those topics seem to contemplate multi WAN gw group environments. It sounds like you only have a single WAN interface.

                John

                G 1 Reply Last reply Reply Quote 0
                • G
                  gwaitsi @serbus last edited by

                  @serbus

                  • I have a single wan interface and 2x vpn failover connections.
                  • i created a floating block rule for icmp from any to any
                  • i then run ping and traceroute -i and the blocked source address is the openvpn client address from the tier 1 connection
                  • i then set the rule to pass icmp via WAN from the VPN1 address, but ping just hangs and traceroute times out
                  G 1 Reply Last reply Reply Quote 0
                  • G
                    gwaitsi @gwaitsi last edited by

                    @gwaitsi hmmm. so i set the default gateway to automatic instead of the gateway pool and it seems to have solved the problem. The pf box now defaults over the wan, and the policies are correctly working. so i am happy.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense Plus
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy