Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    3 vpn load balanced connections in dual failover wan?

    Routing and Multi WAN
    2
    3
    357
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      valepe69
      last edited by

      I'd like to create three load balanced VPN connections (I'm seeing AirVPN, it permits up to five simultaneous connections).
      But these load balanced group should go through a dual wan in failover mode (two internet connections).

      Is it possible?

      1 Reply Last reply Reply Quote 0
      • W
        why
        last edited by

        Yes

        I posted almost identical set up to what you are looking for in response to another user here.

        Hopefully it should make sense if you are familiar with....
        Create/Assign Interfaces and the Gateway_Groups page at.... " System -> Routing -> Gateway_Groups" .

        I saw another post yesterday about the secondary WAN not reverting back to principle WAN when reconnected, and someone offered a script to solve it. I need to find it again in order to link to it. Will update if I find, test and confirm it works to fix the problem.

        Hope this is useful.

        Behavior

        Main WAN connection = DHCP with 3 VPN clients sharing traffic. Any failing VPN is dropped and load shared over remaining two. (Redunancy between VPN's)

        Pull WAN cable => connection fails over to LTE Wireless and VPN's re-establish connection. ...Takes a couple of minutes but it works.

        Reconnect WAN cable => DHCP connection always comes UP but it doesn't always switch back from LTE to PPPoE.

        Configuration:

        5 interfaces assigned

        • WAN_DHCP - Vendor A : Monitor 1.1.1.1
        • VPN1 - At Vendor B - server X, port 80 : Monitor 4.2.2.1
        • VPN2 - At Vendor B - server Y, port 443 : Monitor 4.2.2.2
        • VPN3 - At Vendor B - server Z, port 1194 : Monitor 4.2.2.3
        • WAN_LTE - Vendor C : Monitor 1.0.0.1

        All are "UP"

        System -> Routing -> Gateway Groups

        • VPN_GROUP => VPN1 (Tier 3) + VPN2 (Tier 3) + VPN3 (Tier 3) Trigger Level = Packet Loss or High Latency

        • WAN_GROUP => WAN_DHCP (Tier 1) + WAN_LTE (Tier 5) Trigger Level = Member Down

        Firewall -> Rules --> add pass rules for internet traffic using "VPN_GROUP" gateway

        System -> Routing -> select Default Gateway IPv4 = "WAN_GROUP"

        System -> Package Manager -> Service Watchdog -> Added all VPN clients + dpinger Gateway Monitoring Demon + DNS Resolver (..... not sure if this is necessary but thought it useful to ensure service watchdog was watching those services that are likely impacted by switching WAN gateways).

        V 1 Reply Last reply Reply Quote 0
        • V
          valepe69 @why
          last edited by

          @why at the end is more or less the same setup that I did.
          I started from nguvu guide and adapt to dual-wan failover.
          Until now (finger cross) all tests I did the wan switch always worked (but I had to remove the persist-tun option otherwise the vpn connections didn't change wan).

          Two things: now the VPN gateways monitored IPs are the gateways itself and I have a different tier numbering:

          • wan failover: wan1 is tier 1 and wan2 is tier 2
          • vpn balancing: all in tier 1
          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.