Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi-WAN + MultiVPN failover - is it allowed?

    Routing and Multi WAN
    2
    4
    529
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 4
      4o4rh
      last edited by

      If i have
      WAN1 - GW1 (WAN1 - T1, WAN2 - T2) - member down
      WAN2 - GW2 (WAN2 - T1, WAN1 - T2) - member down

      VPN1 - Interface: GW1
      VPN2 - Interface: GW2

      VPNGW - (VPN1 - T1, VPN2 - T2) - memberdown

      Is this a valid config to give me redundant VPN with redundant WAN?
      Will a config like this introduce any problems, i should know about?

      W 1 Reply Last reply Reply Quote 0
      • W
        why @4o4rh
        last edited by

        @gwaitsi

        My guess would be "likely yes" based on below, but I used different Tiers in each Gateway Group ....(to avoid any potential conflicts that might not even be there!)

        I have VPN redundancy and WAN failover in a slightly different way but it uses similar Gateway group mechanism.

        Might be useful to detail here, but it doesn't answer specific question about your config.

        Behavior

        Main WAN connection = DHCP with 3 VPN clients sharing traffic. Any failing VPN is dropped and load shared over remaining two. (Redunancy between VPN's)

        Pull WAN cable => connection fails over to LTE Wireless and VPN's re-establish connection. ...Takes a couple of minutes but it works.

        Reconnect WAN cable => DHCP connection always comes UP but it doesn't always switch back from LTE to PPPoE.

        Configuration:

        5 interfaces assigned

        • WAN_DHCP - Vendor A : Monitor 1.1.1.1
        • VPN1 - At Vendor B - server X, port 80 : Monitor 4.2.2.1
        • VPN2 - At Vendor B - server Y, port 443 : Monitor 4.2.2.2
        • VPN2 - At Vendor B - server Z, port 1194 : Monitor 4.2.2.3
        • WAN_LTE - Vendor C : Monitor 1.0.0.1

        All are "UP"

        System -> Routing -> Gateway Groups

        • VPN_GROUP => VPN1 (Tier 3) + VPN2 (Tier 3) + VPN3 (Tier 3) Trigger Level = Packet Loss or High Latency

        • WAN_GROUP => WAN_DHCP (Tier 1) + WAN_LTE (Tier 5)
          Trigger Level = Member Down

        Firewall -> Rules --> rules access internet via VPN_GROUP gateway

        System -> Routing -> Default Gateway IPv4 = WAN_GROUP

        System -> Package Manager -> Service Watchdog -> Added all VPN clients + dpinger Gateway Monitoring Demon + DNS Resolver

        Hope this is useful.

        W 1 Reply Last reply Reply Quote 0
        • W
          why @why
          last edited by

          Forgot to say it's ver 2.5.0

          .... and there's a typo in interface list,... second "VPN2" should be "VPN3".

          4 1 Reply Last reply Reply Quote 0
          • 4
            4o4rh @why
            last edited by

            @why thanks, it seems there wasn't/isn't anything fundamentally wrong with what I am doing then. It was working, but i started having a problem with smtp clients on windows / linux which is why I was asking.

            But it seems to be a problem with setting the default route of the rule to a gateway group. I just don't understand why it has started over the last week.

            https://forum.netgate.com/topic/161496/smtp-fails-over-gateway-wan-or-vpn

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.