Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question for static routes failover

    Scheduled Pinned Locked Moved Routing and Multi WAN
    7 Posts 3 Posters 774 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vinzcenzo
      last edited by

      Dear community,

      I have a routing question regarding my actual network infrastructure.

      Initially, we connected our remote Office to our HQ with an IPSec VTI connection through our WAN Internet Providers. All networks were correctly communicating together based on static routes I have defined on both sides.

      We recently configured a CWDM 1Gbps link that allows us to make a direct connection between our HQ and Remote Office without going through an internet IPSec tunnel. I changed then my static routes by using gateways that are located in an "Interco" L2 VLAN that is propagated between our two sites. This works like a charm.

      Now I would like to have a kind of failover possibility: if the CWDM link goes down, I would like that pfSense boxes to switch automatically to the IPSec link (that is still configured and available). I can do it manually by replacing the CWDM gateways with the IPSec gateways.

      I thought then I would be able to do that by creating a group of gateways, by defining the CWDM gateway in Tier1 and the IPSec gateway in Tier2, but unfortunately, a group of gateways is not usable in static routes.

      Anybody knows how I could simply achieve that with my current configuration?

      Below, a simplified schema of our infrastructure and its interconnection :
      15bdc450-da69-40d8-8b5f-ce3195cc7c7d-image.png

      Many thanks in advance for your ideas and input.

      Best regards
      Vincent

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @vinzcenzo
        last edited by

        @vinzcenzo
        You can go with policy routing rules. In the rule you can select the gateway group.

        1 Reply Last reply Reply Quote 0
        • V
          vinzcenzo
          last edited by

          @viragomann thanks for your answer.

          I already checked that (read it in another post related to failover), but was not convinced (maybe I'm wrong).

          If I correctly understand, using the policy routing group is the only way to achieve that failover?

          But it means that for each rule I created for my communication with my HQ I need to manually specify the group of gateways.

          It is fine when we have only a couple rules, but by design, I avoid "any-any" rules between my subnets, meaning I have hundred of them to modify, and in terms of maintenance it's a bit painful.

          Is it as reliable as using static routes?

          Maybe a dumb question, but except that it is not implemented in pfSense, is there a good technical reason to not allow the usage of gateway's group with statics routes? I should not be the only one that would like to prioritize routes in a failover scenario. ๐Ÿค”

          But anyway, I will evaluate the least worst way to modify that in my environment.

          Thanks again ๐Ÿ˜‰

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @vinzcenzo
            last edited by

            @vinzcenzo said in Question for static routes failover:

            If I correctly understand, using the policy routing group is the only way to achieve that failover?
            But it means that for each rule I created for my communication with my HQ I need to manually specify the group of gateways.

            Exactly.
            Maybe you can reduce your rule number by using aliases for source and destination IPs and ports.

            but except that it is not implemented in pfSense, is there a good technical reason to not allow the usage of gateway's group with statics routes?

            I can think of any. Possibly static routes are meant for other purposes than this.
            Maybe @jimp can answer your question.

            V 1 Reply Last reply Reply Quote 0
            • V
              vinzcenzo @viragomann
              last edited by

              Maybe you can reduce your rule number by using aliases for source and destination IPs and ports.

              Already done... (20 subnets, ~200 device aliases, ~50 group of devices, and ~15 group of ports. ๐Ÿ™„)

              NogBadTheBadN 1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad @vinzcenzo
                last edited by NogBadTheBad

                @vinzcenzo Maybe look at the FRR routing daemon.

                https://www.netgate.com/resources/videos-dynamic-routing-with-frr-on-pfsense

                Think you also might need to run routed IPsec ( VTI ) to use FFR.

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                V 1 Reply Last reply Reply Quote 0
                • V
                  vinzcenzo @NogBadTheBad
                  last edited by

                  I will have a look to the video, but I don't know if it could by applicable in my case.

                  My very basic knowledge of OSPF (never use it) is to evaluate cost path of complex network infrastructure and dynamically update complex routing table.

                  I have only two physical "routeur" with two interface each :

                  1. one interface on CWDM spanned subnet
                  2. one interface on IPSec interface

                  I will check if I can do something with that , thanks for the input ๐Ÿ˜‰

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.