Only allow certain VLAN's to use the failover
-
Hey,
So I am trying to configure our network so that I have failover for if the main WAN drops.
I have both WAN's in a gateway group, with the main WAN being tier 1 and the 5G WAN is tier 5.This all works and thats fine, now my network is setup in a whole set of VLAN's, and I'd like only specific VLAN's to be able to use the 5G failover.
Reason for this is because some VLAN's are more important to keep going, wheras some VLAN's we don't mind missing for a while and are not worth paying extra 5G for.
So, can I exclude certain IP ranges from this 5G failover gateway? Or prehaps exclude certain interfaces from being able to use it?
I feel like I've checked every setting in PFSense but I can't figure it out. -
@apenz
You can policy route traffic with firewall rules to a specific gateway. Are other packets go out the default gateway.In System > Routing > Gateways you can specify the default gateway, either the failover group or the primary WAN.
For traffic that you want to use the default gateway add a firewall pass rule to allow upstream traffic, expand the advanced options and select the desired gateway, e.g. WAN gw.
Remember that a policy routing rule directs all matching traffic to the stated gateway. Hence it does not allow access to internal destinations.
If you need this ensure that the rule only matches to outbound traffic. You can achieve this by adding an RFC1918 alias (add all private network ranges to it) and use this alias as destination with "invert" checked in the policy routing rule. So this rule matches to all destination which are not private networks. -
@viragomann
Thanks for your response, to be honest I haven't played with the firewall rules yet.
In the coming week Ill see what I can figure out with the help of your reply.