Failover group with 2 WANs as default gateway not moving to tier 2 WAN

SipriusPT

Hello everyone,

I have here a odd situation where I have a failover group, with 2 WANs, that was set as default gateway. For the first time I am using a Monitor IP different from the one that is being assigned for the pfsense NIC. In this case the ISP GW of each internet access.

This is the schematic:

REDE HA WAN SIDE.drawio (1).png

While testing this setup, on FIREWALL A1 (aka main node) I notice that my current rules on firewall that has default gateway, was not routing to tier 2, when the tier 2 was changed to default gateway on pfsense.

If I set the tier 2 interface as gateway directly on rules, I am able to use (internet access) that gateway, but if I left it with default, it goes to tier 1 interface.

From pfsense I am also unable to ping to internet from automatically choosen interface, only choosing the WAN interface in tier 2 I was able to ping.

This is my current setup:

Any of you knows what can be messing with?

Thanks in advance!

SipriusPT

I didnt mention but it also works if I assign the gateway group as gateway in rules, but using the default option, no luck.

In other words, the gateway group is working, but pfsense is not assuming that gateway group as the default one, and I really dont know why.

SipriusPT

If I set the tier to never, on that WAN_ROUTERA_WAN1_GW, and disable that gateway, the pfsense system finally moves to that tier 2 WAN_ROUTERA_WAN2_GW. If I enable it, it moves back again to WAN_ROUTERA_WAN1_GW even not being on that Gateway group.

I've already recreated those gateways and that gateway group, but got the same outcome. Damn, am I missing here something?!

SipriusPT

After trying to list packages of pfsense repo and update the system, I saw that everything was working as expected with that GW group.

No sure why both nodes were not routing my pings to 1.1.1.1 to the higher available gateway in that gateway group, only disabling that gateway manually, those pings would use the other GW.

Thanks anyway.

SipriusPT

So it was routing those pings to 1.1.1.1 through the wrong GW because of the "dns server" setting on "general setup" for that GW, after changing it to 1.0.0.1, I was able to use the default gateway while doing a ping for that IP from tier 2 GW, as expected.

I've wasted like 5 hours digging in this ...