Issue with Dual-WAN failover prevention


  • I need to run my SG-3100 Dual-WAN without failover. I'd take failover if failback worked but I digress... I read that failover can occur unless you check "Do not create rules when gateway is down" in System/Advanced/Miscellaneous. I experimented with this option and discovered when the ISP on port OPT1 is disconnected, none of the nodes on VLANs using OPT1 as a gateway can ping the SG-3100, or accesses its WebUI. These nodes have proper IP addresses. The nodes on VLANs using port WAN as a gateway do not experience this SG-3100 access issue during this time.

    Is this expected? Is it correct behavior?

  • LAYER 8 Rebel Alliance

    I'm using the SG-3100 for some Sites with Dual WAN Failover and some with 3-WAN or even 4-WAN Failover and Failback works as expected.
    What exactly is not working for you?

    -Rico


  • Sorry. When I disconnect the cable to OPT1 (connected to the modem of my second ISP), none of the VLANs gatewayed to OPT1 can access pfSense.

  • LAYER 8 Rebel Alliance

    Do you Policy Route?
    You need to bypass policy routing for other local interfaces. Make a Rule above your policy routing Rule to hit your local networks.
    See https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html (Bypassing Policy Routing)

    -Rico


  • I do. I needed to add an early rule that passes traffic destined for This Firewall. With that, all is good.

    Thank you.