Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Manual fail over with subset of devices having access

    HA/CARP/VIPs
    2
    3
    183
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Andrew453
      last edited by

      I'd be grateful for views please on how best to accomplish the following.

      I have a Gigabit symmetrical fibre broadband connection, with unlimited data with a lot of data hungry devices behind my pfsense box in a domestic setting.

      If that connection goes down, I want to failover to a 4G LTE connection.

      But...

      1. I want the failover to be manual (I need to know I have an issue and that I'm working off 4G)

      2. I want to limit the devices that can access the 4G connection to essential devices (eg a laptop or two, rather than Netflix etc).

      What's the best way to do that please? Ideally I'd like to avoid replicating firewall walls for WAN/WAN2 and keep it simple in terms of defining the group of permitted devices.

      Many thanks in advance.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Andrew453
        last edited by

        @Andrew453 said in Manual fail over with subset of devices having access:

        I want the failover to be manual (I need to know I have an issue and that I'm working off 4G)

        If you configure System > Advanced > Notification pfSense will inform you anyway on a gateway failover. So if your only thoughts are to know, which gateway is used, just configure a gateway failover group, set it as default gateway in System > Routing > Gateways and let pfSense do the fail-over automatically.

        If you want to do the gateway switching manually anyway, go to System > Routing > Gateways and change the default gateway.
        However, I don't know if pfSense notifies you on gateway failing based on the gateway group. Maybe.

        I want to limit the devices that can access the 4G connection to essential devices (eg a laptop or two, rather than Netflix etc).

        Create an alias and add all allowed devices to it. Add a pass rule on the internal interface to tag the connection.
        On the 4G WAN add a block rule, which is triggered by the tag with "invert". So all connections, which are not tagged should be blocked.

        1 Reply Last reply Reply Quote 0
        • A
          Andrew453
          last edited by

          Thank you very much for your reply.

          I've managed to get it to work - thanks for your help. A couple of points:

          • I needed also to add a rule specifically to allow DNS traffic from the DNS Resolver in the firewall across the 4G WAN, otherwise DNS doesn't work (because it doesn't hit on the LAN rule)

          • In addition to changing the gateway manually (which is fine), I also need to tweak the DNS Resolver setting so that outbound requests go across the 4G WAN and not the normal WAN. Not sure if there's a way around that? If I enable both outgoing interfaces in DNS Resolver, then it seems to distribute DNS traffic even when the gateway doesn't need to failover.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.