Help on Simple FailOver Scenario (Dual Wan)



  • Hi,

    I'm Trying to build a FailOver FW with pfSense 1.2.3-RC1 but I can't figure what I am doing wrong.

    • LAN goes through WAN
    • LAN1 goes through WAN1
    • When WAN fails, LAN goes through WAN1

    So the FailOver Pool:

    I first monitor the WAN1|DSN2 and then WAN|DNS1

    The LAN rules are also very simple:

    Allow all from LAN to WAN1_Subnet via WAN
    Allow all from LAN to LAN_Subnet via WAN1
    Allow all from LAN to ANY via WANFailstoWAN1

    My NAT ADvanced Outbound looks like:

    I have users plugged in both LAN'S so I need to NAT each one and the FailOver too for the LAN users get 'natted' via WAN1 (right?)

    The Static Routes for DNS:

    And finaly when I unplug the WAN cable, I can see the link off:

    Well I think it's all. I really can't see what's wrong here. Help would be very very appreciated.

    Thanks in advance

    Best Regards



  • I don't understand it either, so I'll just try and address some basic issues.

    1. Your description says WAN fails to WAN1, but OPT is first in the list. If you read the page, it says " Failover order: top down".
    2. Simple LAN rules would be to take the default rule and change the gateway. I don't understand what you are doing there. What does LAN > WAN2 | WAN mean??
    3. AON- you would need four rules: LAN via WAN, LAN via WAN2, LAN2 via WAN, LAN2 via WAN2.
    4. If you are trying to run dual-wan behind two crappy nat routers you are going to have issues. My advice would be to change the configuration so your WANs have real IPs.


  • Letting us know what's actually happening would be helpful :P You've described your setup fairly well, but we don't know how it's behaving or how that differs from what you expect.

    Also the 'WAN1 net' rule should not have a gateway, the system routing tables will take care of this automatically because pfSense is directly connected to this network, as long as the traffic is allowed by the rule you don't need to specify the gateway. You generally shouldn't have gateways in your rules unless you want to modify the default behaviour or use load balancing/failover. Just the default rule with the failover gateway should suffice for what you're trying to accomplish I think. Your rule for destination 192.168.0.0/24 also doesn't make any sense - isn't this your LAN subnet?

    I echo all of dotdash's comments. Since you've masked your internal NAT'd WAN IPs (why would you do this, they're internal…), I can't tell - but if both of these use the same subnet, dual WAN is not going to work. You'll also have issues if either of them use the same subnet as any of your LANs. Either move them to different subnets or preferably get a real IP for each WAN link on pf. I suspect this is your problem based on my guesswork about your addressing by the way you've named the rules.

    Your configuration looks generally correct to me though aside from these comments (as in it should be working as long as the subnets are different), so I expect the 'problem' may just be that your expectations differ from how you've configured it.


Log in to reply